02-14-2005 01:10 AM - edited 02-21-2020 01:36 PM
Hi Folks!!!
I hv configured remote access ipsec VPN using PIX-515E(3DES & MD5 used) This has been primarily configured for accessing a webserver which is in the internal network.I hv checked the access thru dialup connection & checked the access to the webserver & it is working OK.
One of our client has tried accessing the webserver thru the remote access VPN which we hv setup as above & was successfully able to establish the Ipsec VPN tunnel but when he tries to access the webserver he is not able to access it.The client is using his home broadband connection to check the webserver access.
Attached below the PIX log msg
%PIX-6-302013: Built inbound TCP connection 124305969 for outside:10.120.77.2/1097 (10.120.77.2/1097) to inside:192.168.10.23/80 (192.168.10.23/80) (ABC_check)
%PIX-6-302014: Teardown TCP connection 124305969 for outside:10.120.77.2/1097 to inside:192.168.10.23/80 duration 0:02:01 bytes 0 SYN Timeout (ABC_check)
The above logs gives SYN Timeout as the reason but not able to figure out why this timeout is generated & why the client is not able to access the webserver eventhough we hv checked the same access thru a dialup connection
Folks!! require ur help to get this resolved..
Thanx in advance..
Cheers
SS
02-14-2005 02:30 AM
Hi,
is the user able to ping or connect to any destination in the internal network?
If yes and the only TCP connection fails, I'd check MTU , e.g. (if his home broadband connection is via ADSL).
Regards,
Milan
02-14-2005 02:43 AM
Hi !!
When the client access the webserver using the remote access VPN thru broadband(uses cisco vpn client) he is neither able to ping or trace route the internal ip's though it is allowed in the pix fw.If the ping/traceroute test is done thru dialup connection it works,also the webserver is accessible
Cheers
02-14-2005 03:58 PM
If he's on ADSL then his traffic is probably being PAT'd, and this is causing issues with the IPSec traffic (which is non-UDP/TCP based and a lot of devices have trouble PAT'ing this type of traffic).
On the PIX use the following command:
isakmp nat-traversal
This will enable NAT-T on the PIX, and the PIX and client will then negotiate at tunnel start-up to encapsulate the IPSec packets into UDP packets, which then should be able to be PAT'd correctly by your users broadband device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide