Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1370
Views
0
Helpful
3
Replies

isakmp nat-traversal 20 does not work

jemorris73
Level 1
Level 1

‎03-14-2005 09:49 PM

I've enable isakmp nat-traversal 20 on a PIX 525 ver. 6.3 to allow multiple VPN connections from a site that is doing NAT. I'm doing NAT on the home site. One computer can connect but I'm still having problems with more than one computer connecting to the home site. Is there anything else that needs to be done to allow multiple connections?

Labels:
0 Helpful
3 Replies 3

jmia
Level 7
Level 7

‎03-15-2005 12:20 AM

John,

Has the remote site got NAT-T enabled as well? Can you pls post your config too - take out any sensitive info.

Jay

0 Helpful

jemorris73
Level 1
Level 1
In response to jmia

‎03-15-2005 06:48 AM

no option on remote site router (Netgear).

here are some lines from the config.

nat (inside) 0 10.0.0.0 255.0.0.0 0 0

static (inside,outside) STATEMENTS

conduit permit STATEMENTS

=============

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

crypto ipsec transform-set md5 esp-des esp-md5-hmac

crypto dynamic-map md5 70 set transform-set md5

crypto map rtpmap 70 ipsec-isakmp dynamic md5

crypto map rtpmap client configuration address initiate

crypto map rtpmap client configuration address respond

crypto map rtpmap interface outside

isakmp enable outside

isakmp key *********** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

isakmp identity address

isakmp client configuration address-pool local dealer outside

isakmp nat-traversal 20

isakmp policy 70 authentication pre-share

isakmp policy 70 encryption des

isakmp policy 70 hash md5

isakmp policy 70 group 2

isakmp policy 70 lifetime 86400

vpngroup (VPN Group Name) idle-time 1800

vpngroup (VPN Group Name) password

0 Helpful

sachinraja
Level 9
Level 9
In response to jemorris73

‎03-16-2005 10:21 PM

Hello Morris,

Nat-t is required only at the destination.. u dont need at the source.. anyway, if one user is able to connect, therez no problem with the configuration of the destination.. are u gettin any debug messages when the second user fails to connect ?? not really sure about netgear, but in pix, there are no commands which will limit NAT-T connections onto it...

get us some debugs if possible..

Raj

0 Helpful
Customers Also Viewed These Support Documents