cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
448
Views
0
Helpful
4
Replies

PIX 515E (7.0.1) - Problem with VPN Connection from inside to outside

domipe
Level 1
Level 1

Hello,

i´ve created a VLAN on the pix.

Users in this VLAN are allowed to connect only to the Internet. Everything is fine, but when the try to connect with his VPN-Client to their company, there are problems... (Traffic flows to outside, but no traffic came back.)

Is the only solution for this problem to create a Nat Pool with public ip addresses, to make a one to one mapping or is there another solution with one public ip address (NAT over PAT) possible for this problem?

Thanks for your replies.

D.

1 Accepted Solution

Accepted Solutions

The problem is that esp is an IP protocol, therefore PAT will not work in this scenario. When the return traffic comes back to pix it does not know how to forward to the inside host. The only way to achieve this is by adding a static nat (1-to-1 mapping) and creating a rule to allow esp. What type of vpn client is it? microsoft vpn? cisco vpn? If it is cisco VPN, perhaps they can use NAT-T on the vpn which overcomes the PAT issue by encapsulating ipsec packets inside UDP. You'd have to speak to VPN admin and have him enable it.

-kevin

View solution in original post

4 Replies 4

colin
Level 1
Level 1

Hi D,

Make sure that you have allowed ESP (protocol 50) to come back into the firewall, and that you have configured the fixup for esp as well.

Cheers,

-colin

Hi Colin,

thank´s for your reply.

ESP is allowed back, trough the PIX.

But the problem is the same...

D.

The problem is that esp is an IP protocol, therefore PAT will not work in this scenario. When the return traffic comes back to pix it does not know how to forward to the inside host. The only way to achieve this is by adding a static nat (1-to-1 mapping) and creating a rule to allow esp. What type of vpn client is it? microsoft vpn? cisco vpn? If it is cisco VPN, perhaps they can use NAT-T on the vpn which overcomes the PAT issue by encapsulating ipsec packets inside UDP. You'd have to speak to VPN admin and have him enable it.

-kevin

Hi Kevin,

thanks for your reply.

We have solved this problem now, wit the NAT-T solution and it works fine.

Thanks a lot.

D.