I have a client that has a PIX 501 with 6.3. We have the usual "isakmp nat-transversal 20" and the "sysopt connect permit-ipsec". However, we can not get the Symantec VPN Client to pass it's isakmp information properly. The Symantec client works fine from other locations without a PIX. I have followed Symantec's recommendations regarding NAT Transversal and it still will not work.
Does anyone have experience with this client passing through a PIX? Is there something else I should be doing/checking on the PIX?
The flip side to the nat-traversal feature is that it only works if you are not also terminating ipsec on the pix. If you have an address that you can use besided the outside interface address for the client, you can have them use that and it will work.
Can you elaborate a little more? I am a little confused by which outside interface address you are talking about - the Pix or the Symantec VPN host?
If you are talking about the PIX, do you mean assign another IP address to the outside interface? Is there anything special I would need to do to "make" the Symantec client use the new IP on the outside interface?
Thank you for taking the time to respond... I have been pulling my hair out on this one for several days now.
description This is a list of protocols that will invoke the global 99
object-group network no-pat-nets
description This is a list of networks or hosts which are permitted to use the global 99 range for VPN pass-thru
network-object 10.1.X.0 255.255.255.0
access-list no-pat extended permit object-group no-pat-protocols object-group no-pat-nets any
access-list no-pat extended permit udp object-group no-pat-nets any eq isakmp
global (outside) 99 70.x.x.120-70.x.x.126 netmask 255.255.255.128
global (outside) 100 70.x.x.110
nat (inside) 0 access-list no-nat
nat (inside) 99 access-list no-pat
nat (inside) 100 0.0.0.0 0.0.0.0
What this does is creates a policy nat which will allow vpn client users to grab an ip from the global 99 pool so that they will have an ip all to themselves while running a VPN client through and from behind the firewall.
Another option that I was suggesting initially for you is to simply create a static like so:
static(inside,outside) somePublicIP, VPNclientPCiP net 255.255.255.255
then you would need to permit isakmp in for this ip like so:
access-list someAcl permit udp any host somePublicIP eq 500
access-list someAcl permit gre any host somePublicIP
Then attach that to your outside interface. The reason, btw, that nat traversal doesn't work when you are using the pix as an ipsec endpoint is that you are already using up udp 500 on the outside interface of the pix. So if you pat on that address, isakmp won't go anywhere else but to the running process on the pix.