10-11-2002 08:05 AM - edited 02-21-2020 12:06 PM
I am having a problem routing packets through a vpn tunnel established with a 3.6 client through a pix 501 to a vpn 3005. I am using ipsec over udp (port 10000). If I use the easy vpn server config on the pix, everything works fine, but I don't need a lan to lan tunnel. I don't want to use split tunneling for internet access on the remote lan and only 1 machine needs the vpn connectivity at various times. I have opened all the necessary ports, I think. My access list looks like this:
access-list allowincoming permit udp any any
access-list allowincoming permit esp any any
access-list allowincoming permit udp any any eq isakmp
access-group allowincoming in interface outside
The tunnel comes up and authenticates fine on the client but it appears that none of the incoming packets are decrypted. I have the same config at another remote site through a PAT'ed 1605R running IOS FW with similar access-lists and it works fine.
Am I missing something. Any suggestions are greatly appreciated.
Thanks,
Jeff
10-11-2002 08:43 PM
There might be some other pix config issue.
Actually, just having the nat and global interface overload command should already enable your inside client to connect and pass traffic to the concnentrator. (Even without the access-list). Maybe an access-list on the inside??
Regards,
10-13-2002 07:27 AM
I don't want to ask a silly question, however, are you trying to use AH for part of the transform-set for that client? Did you use AH for the other site?
If so, if I am not mistaken, you can't use AH when doing NATing or PATing. You can only use ESP with NATing or PATing.
Like I said, I am not sure but this might be something to check into if you are trying to use AH for part of the transform-set.
Just something to think about....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide