Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
0
Helpful
4
Replies

PIX 515E (7.0.1) - Problem with VPN Connection from inside to outside

Go to solution
domipe
Level 1
Level 1

‎08-24-2005 10:47 PM - edited ‎02-21-2020 01:55 PM

Hello,

i´ve created a VLAN on the pix.

Users in this VLAN are allowed to connect only to the Internet. Everything is fine, but when the try to connect with his VPN-Client to their company, there are problems... (Traffic flows to outside, but no traffic came back.)

Is the only solution for this problem to create a Nat Pool with public ip addresses, to make a one to one mapping or is there another solution with one public ip address (NAT over PAT) possible for this problem?

Thanks for your replies.

D.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bigchoice75
Level 1
Level 1
In response to domipe

‎08-26-2005 07:59 AM

The problem is that esp is an IP protocol, therefore PAT will not work in this scenario. When the return traffic comes back to pix it does not know how to forward to the inside host. The only way to achieve this is by adding a static nat (1-to-1 mapping) and creating a rule to allow esp. What type of vpn client is it? microsoft vpn? cisco vpn? If it is cisco VPN, perhaps they can use NAT-T on the vpn which overcomes the PAT issue by encapsulating ipsec packets inside UDP. You'd have to speak to VPN admin and have him enable it.

-kevin

View solution in original post

0 Helpful
4 Replies 4

Go to solution
colin
Level 1
Level 1

‎08-25-2005 05:22 AM

Hi D,

Make sure that you have allowed ESP (protocol 50) to come back into the firewall, and that you have configured the fixup for esp as well.

Cheers,

-colin

0 Helpful

Go to solution
domipe
Level 1
Level 1
In response to colin

‎08-26-2005 02:04 AM

Hi Colin,

thank´s for your reply.

ESP is allowed back, trough the PIX.

But the problem is the same...

D.

0 Helpful

Go to solution
bigchoice75
Level 1
Level 1
In response to domipe

‎08-26-2005 07:59 AM

The problem is that esp is an IP protocol, therefore PAT will not work in this scenario. When the return traffic comes back to pix it does not know how to forward to the inside host. The only way to achieve this is by adding a static nat (1-to-1 mapping) and creating a rule to allow esp. What type of vpn client is it? microsoft vpn? cisco vpn? If it is cisco VPN, perhaps they can use NAT-T on the vpn which overcomes the PAT issue by encapsulating ipsec packets inside UDP. You'd have to speak to VPN admin and have him enable it.

-kevin

0 Helpful

Go to solution
domipe
Level 1
Level 1
In response to bigchoice75

‎09-03-2005 12:59 PM

Hi Kevin,

thanks for your reply.

We have solved this problem now, wit the NAT-T solution and it works fine.

Thanks a lot.

D.

0 Helpful
Customers Also Viewed These Support Documents