cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
299
Views
0
Helpful
2
Replies

VPN Client -> 1721 -> Internet -> PIX: No LAN access

cwaskow
Level 1
Level 1

Well, the subject says it all. I am using the latest version of the VPN client on Windows XP. I have a T1 set-up using a 1721. A remote location (not sure what router) has a PIX running. I can connect to the VPN and even get an IP from the remote network, however, I'm unable to ping any of the remote IP addresses.

Now, here is where it gets weird. If I connect with the same computer from home, I can get in no problems at all. At home, I connect to a Cable Internet connection with a Netgear router.

Considering this, it would seem as though the problem is with the 1721 at the office. The 1721 has the Advanced Security IOS and was set-up using SDM 2.0. All the settings are as 'default' as one can be using SDM 2.0. I've tried adding firewall rules that allow all traffic to/from the IP of the PIX, but it doesn't seem to work. Any help here would be greatly appreciated.

2 Replies 2

kagodfrey
Level 3
Level 3

Could be a nat problem, data at your office is most likely on a private range that gets natted, whereas at home you'd be on a public IP address more than likely. Does the PIX have NAT traversal (NAT-T) enabled (isakmp nat-traversal 20)? It'll need to be running 6.3 code.

An IPSEC packet is invalidated when subjected to NAT. NAT-T encapsulates the ipsec packets into UDP packets at the VPN source device, so it is the UDP portion that has the nat performed on it. The destination device strips the UDP away leaving the intact IPSEC packet.

HTH

Kev

Well, the home office is also on NAT. After messing around with things, I removed all the association of the ACL from SDM on the interfaces and everything worked as expected. I did find the proposed NAT solution in another thread, but I didn't want to change the PIX as other people, including myself could connect when behind a NAT.

I'm not happy with this as a fix, but it helps me narrow my field as to what caused the problem. The thing that I find interesting is that the default SDM firewall rules didn't allow VPN traffic though. So, I guess my next question is, provided a default SDM rule, what modifications would I have to make to it so VPN traffic can go through it?