07-30-2001 02:19 AM - edited 02-21-2020 11:23 AM
Does VPN Client 3.x (unified framework) support NAT transparency? If not, is there a plan to support this feature? Is there any VPN client with NAT transparency feature compatible with PIX 6.0?
Problem: I'm siting behind corporate firewall with VPN Client 3.x, when I go outside, I'm PAT-ed, and I want to connect to remote PIX to establish VPN tunnel. When I'm connected directly to remote router (next hop is PIX), everything is OK, when I try the same thing behind firewall, I receive error:
1 11:16:56.272 07/30/01 Sev=Warning/2 IKE/0xE3000079
Exceeded 3 IKE SA negotiation retransmits... peer is not responding
2 11:16:56.322 07/30/01 Sev=Warning/3 DIALER/0xE3300015
GI VPN start callback failed "CM_PEER_NOT_RESPONDING" (16h).
08-02-2001 12:21 PM
I am currently performing the same function through a PIX 506 firewall connected to a cable modem using PAT. You must select within the VPN 3.0 client properties "Allow IPSEC through NAT mode". The most common application for IPSec through NAT mode is behind a home router performing PAT. Using this feature encapsulates Protocol 50 (ESP) traffic within UDP packets that the home router/firewall forwards to their destination. The VPN Client also sends keepalives frequently, ensuring that the mappings on the router/firewall are kept active. However using this method requires port 10000 UDP (default) to be permitted outbound through the firewall.
08-02-2001 12:37 PM
Well I heard that Cisco does not support this feature yet. I have my clients connecting through there home router or dsl and few of them are using PAT. And all select that option "Allow IPSEC through NAT mode". But still there are unable to do so. Now if you can help me with this port 10000 UDP port to be permitted outbound through the firewall ( i am assuming this port access will be on my PIX where the clients are terminating.) Can you tell me exactly wat addresses i have to permit to go out. Is it the virtual ip address that my VPN clients get or everything. I m not sure i got how will this be done...allowing that port 10000 UDP. i will appreciate that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide