01-12-2005 02:13 AM - edited 02-21-2020 01:32 PM
Hi Guys!
My VPN Server is a PIX 6.3(4). It working properly, because the Cisco VPN software client can connect to the server from behind the firewall by using NAT-T.
I want to use also a PIX (6.3) as a VPN Client from behind another firewall (also PIX :).
I tried the nat-traversal command but the PIX not use UDP 4500 (NAT-T) port, it uses UDP 500 (ISAKMP) so VPN not working. It seems PIX can not able to work as NAT-T VPN Client.
Can the PIX work as NAT-T VPN Client (Easy VPN)?
Thanks,
Krisztian
(Hungary)
01-12-2005 05:05 PM
Hi Krisztian,
The pix has NAT-T capability built in and automatically negotiates this when passing through a NAT device.
Try debugging both ends during the exchange and see what shows up.
Cheers,
Paul.
01-13-2005 12:51 AM
Dear Paul,
Thank you for your answer!
I tried debug, see below the result:
debug crypto isakmp
debug crypto ipsec
VPN server: x.x.x.x
VPN Client: y.y.y.y (private address)
NAT device: z.z.z.z
The client side:
pixamm(config)# vpncli conn
Attempting to connect. Please wait for operation to complete ...
ISAKMP (0): ID payload
next-payload : 13
type : 11
protocol : 17
port : 0
length : 13
ISAKMP (0): Total payload length: 17
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Aggressive Mode exchange
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
ISAKMP: sa not found for ike msg
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
ISAKMP: sa not found for ike msg
The Server side:
crypto_isakmp_process_block:src:z.z.z.z, dest:x.x.x.x spt:251 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
.
.
.
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 10 against priority 10 policy
crypto_isakmp_process_block:src:z.z.z.z, dest:x.x.x.x spt:251 dpt:500
VPN Peer:ISAKMP: Peer Info for z.z.z.z8/500 not found - peers:0
ISAKMP: larval sa found
crypto_isakmp_process_block:src:z.z.z.z, dest:x.x.x.x spt:251 dpt:500
VPN Peer:ISAKMP: Peer Info for z.z.z.z/500 not found - peers:0
Thanks,
Krisztian
(Hungary)
01-13-2005 06:17 AM
Hello,
You are correct, its not triggering the NAT-T. Most likely you haven't have the NAT-T configured on the PIX. Please turn it on with the following command -
isakmp nat-traversal 20
More details can be found here -
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312
You may want to search by nat-traversal as a keyword.
Thanks,
Mynul
01-13-2005 06:45 AM
Dear Mynul,
My problematic PIX is acting as VPN Client. The 'isakmp nat-traversal' command haven't an effect on Pix Remote VPN Client, only on Server, if I know well.
My VPN Server (PIX) has the 'isakmp nat-traversal' command. It's working properly.
My VPN Client (also PIX) initiates a vpn connection through the inside interface ('isakmp enable inside') through another PIX. It's not working properly.
If I try VPN connection through the outside interface ('isakmp enable outside') NAT-T working properly. But I have to initiate through the inside.
It seems PIX VPN Client cannot able to initiate NAT-T connection through the inside interface, only through the outside.
Any idea?
Thanks,
Krisztian
(Hungary)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide