08-04-2005 04:37 AM
We have a PIX 515E with VPN enabled. Users in the USA have no problem connecting with the VPN client.
However, we have a user in Hong Kong who is having problems. He can connect to the outside interface and establish the connection. The user is assigned an IP address from the reserve pool, but cannot connect to our server here in the states or even ping any of the internal ip addresses.
Is there any other config that needs to be done?
Solved! Go to Solution.
08-04-2005 06:07 AM
Yes, in config mode do:
isakmp nat-traversal
save with: write mem - and your done.
Now get your user in HK to establish the VPN client connection and try and ping an internal server on your side. And make sure that the MS XP firewall is disabled.
Let me know how you get on and if this does resolve your problem please rate post as other might be looking for the same solution!!
Jay
08-04-2005 05:15 AM
Is your user at HK using an XP box, if so try disabling the built in XP firewall.
Also, is this user behind a NAT device? if so, enable on your PIX 515 (in config mode):
isakmp nat-traversal
You can also get your user to enable logging on the VPN client - set the logging level to HIGH and ask him/her to re-connect and observe the client log, you could post this here and we'll take a look for you.
Hope this helps a little let me know how get on.
Jay
08-04-2005 06:00 AM
Hi Jay -
Thanks for the quick reply. I smacked myself in the head when I saw your suggestion about the XP firewall. I should have known that.
They are behind a NAT device. Forgive my ignorance, but I am not an expert on configuring the PIX. Is that one one line all I need to enter? IE
config t
isakmp nat-traversal
quit
write mem
Anything else? Does the PIX need to be restarted after making that change?
Thanks for the help. If none of this works, I'll get them to enable the logging to see what the situation is.
Jay
08-04-2005 06:07 AM
Yes, in config mode do:
isakmp nat-traversal
save with: write mem - and your done.
Now get your user in HK to establish the VPN client connection and try and ping an internal server on your side. And make sure that the MS XP firewall is disabled.
Let me know how you get on and if this does resolve your problem please rate post as other might be looking for the same solution!!
Jay
08-05-2005 04:05 AM
Jay -
Many thanks for your help. The isakmp nat-traversal configuration resolved the issue.
Thanks again!
JC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide