Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
0
Helpful
4
Replies

PIX as VPN client using NAT-traversal (NAT-T)

diank
Level 1
Level 1

‎01-12-2005 02:13 AM - edited ‎02-21-2020 01:32 PM

Hi Guys!

My VPN Server is a PIX 6.3(4). It working properly, because the Cisco VPN software client can connect to the server from behind the firewall by using NAT-T.

I want to use also a PIX (6.3) as a VPN Client from behind another firewall (also PIX :).

I tried the nat-traversal command but the PIX not use UDP 4500 (NAT-T) port, it uses UDP 500 (ISAKMP) so VPN not working. It seems PIX can not able to work as NAT-T VPN Client.

Can the PIX work as NAT-T VPN Client (Easy VPN)?

Thanks,

Krisztian

(Hungary)

Labels:
0 Helpful
4 Replies 4

turnbull
Level 1
Level 1

‎01-12-2005 05:05 PM

Hi Krisztian,

The pix has NAT-T capability built in and automatically negotiates this when passing through a NAT device.

Try debugging both ends during the exchange and see what shows up.

Cheers,

Paul.

0 Helpful

diank
Level 1
Level 1
In response to turnbull

‎01-13-2005 12:51 AM

Dear Paul,

Thank you for your answer!

I tried debug, see below the result:

debug crypto isakmp

debug crypto ipsec

VPN server: x.x.x.x

VPN Client: y.y.y.y (private address)

NAT device: z.z.z.z

The client side:

pixamm(config)# vpncli conn

Attempting to connect. Please wait for operation to complete ...

ISAKMP (0): ID payload

next-payload : 13

type : 11

protocol : 17

port : 0

length : 13

ISAKMP (0): Total payload length: 17

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0): beginning Aggressive Mode exchange

crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

ISAKMP: sa not found for ike msg

ISAKMP (0): retransmitting phase 1 (0)...

ISAKMP (0): retransmitting phase 1 (1)...

ISAKMP (0): retransmitting phase 1 (2)...

crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

ISAKMP: sa not found for ike msg

The Server side:

crypto_isakmp_process_block:src:z.z.z.z, dest:x.x.x.x spt:251 dpt:500

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: keylength of 256

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: keylength of 256

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

.

.

.

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 10 against priority 10 policy

crypto_isakmp_process_block:src:z.z.z.z, dest:x.x.x.x spt:251 dpt:500

VPN Peer:ISAKMP: Peer Info for z.z.z.z8/500 not found - peers:0

ISAKMP: larval sa found

crypto_isakmp_process_block:src:z.z.z.z, dest:x.x.x.x spt:251 dpt:500

VPN Peer:ISAKMP: Peer Info for z.z.z.z/500 not found - peers:0

Thanks,

Krisztian

(Hungary)

0 Helpful

mhoda
Level 5
Level 5
In response to diank

‎01-13-2005 06:17 AM

Hello,

You are correct, its not triggering the NAT-T. Most likely you haven't have the NAT-T configured on the PIX. Please turn it on with the following command -

isakmp nat-traversal 20

More details can be found here -

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312

You may want to search by nat-traversal as a keyword.

Thanks,

Mynul

0 Helpful

diank
Level 1
Level 1
In response to mhoda

‎01-13-2005 06:45 AM

Dear Mynul,

My problematic PIX is acting as VPN Client. The 'isakmp nat-traversal' command haven't an effect on Pix Remote VPN Client, only on Server, if I know well.

My VPN Server (PIX) has the 'isakmp nat-traversal' command. It's working properly.

My VPN Client (also PIX) initiates a vpn connection through the inside interface ('isakmp enable inside') through another PIX. It's not working properly.

If I try VPN connection through the outside interface ('isakmp enable outside') NAT-T working properly. But I have to initiate through the inside.

It seems PIX VPN Client cannot able to initiate NAT-T connection through the inside interface, only through the outside.

Any idea?

Thanks,

Krisztian

(Hungary)

0 Helpful
Customers Also Viewed These Support Documents