VPN Client 3.6.1 behind PIX 501 w/PAT to VPN 3005 Concentrator

jhanchey · ‎10-11-2002

I am having a problem routing packets through a vpn tunnel established with a 3.6 client through a pix 501 to a vpn 3005. I am using ipsec over udp (port 10000). If I use the easy vpn server config on the pix, everything works fine, but I don't need a lan to lan tunnel. I don't want to use split tunneling for internet access on the remote lan and only 1 machine needs the vpn connectivity at various times. I have opened all the necessary ports, I think. My access list looks like this:

access-list allowincoming permit udp any any

access-list allowincoming permit esp any any

access-list allowincoming permit udp any any eq isakmp

access-group allowincoming in interface outside

The tunnel comes up and authenticates fine on the client but it appears that none of the incoming packets are decrypted. I have the same config at another remote site through a PAT'ed 1605R running IOS FW with similar access-lists and it works fine.

Am I missing something. Any suggestions are greatly appreciated.

Thanks,

Jeff

edadios · ‎10-11-2002

There might be some other pix config issue.

Actually, just having the nat and global interface overload command should already enable your inside client to connect and pass traffic to the concnentrator. (Even without the access-list). Maybe an access-list on the inside??

Regards,

b-pelphrey · ‎10-13-2002

I don't want to ask a silly question, however, are you trying to use AH for part of the transform-set for that client? Did you use AH for the other site?

If so, if I am not mistaken, you can't use AH when doing NATing or PATing. You can only use ESP with NATing or PATing.

Like I said, I am not sure but this might be something to check into if you are trying to use AH for part of the transform-set.

Just something to think about....