Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
6
Replies

VPN Client -> PIXw/PAT -> VPN Server

emoses
Level 1
Level 1

‎06-16-2005 09:46 AM

VPN Client -> PIXw/PAT -> VPN Server

VPN Client Source 10.1.1.153 - internal address

VPN Server Destination 69.245.9.1 - external address

Source is trying to send ipsec traffic through a FW1 that does PAT. The internal ip address/port (10.1.1.153:500) is translated to 64.240.1.2:15.

The Destination is receiving the traffic and replying back to 66.240.1.2:15 according to sniffer. However, I do not see the traffic from the destination passing the FW1.

Help would be appreciated!

Thanks,

E

Labels:
0 Helpful
6 Replies 6

mostiguy
Level 6
Level 6

‎06-16-2005 10:54 AM

Does the pix has isakmp nat-traversal enabled? That said, if you do not see traffic passing thru the fw1, then it sounds like you have a fw1 problem

0 Helpful

emoses
Level 1
Level 1
In response to mostiguy

‎06-16-2005 11:26 AM

I do have isakmp nat-traversal. What should I check on the FW?

Thanks,

E

0 Helpful

ma4d
Level 1
Level 1

‎06-17-2005 05:03 AM

Don't you need to enable some type of encapsulation for the VPN client to work over NAT/PAT? Try enabling IPSec over TCP on both the client and the concentrator.

0 Helpful

ma4d
Level 1
Level 1
In response to ma4d

‎06-17-2005 05:18 AM

Sorry, when I entered my last post I hadn't read the whole thread. If you use TCP then you'll of course have to change your PAT config on the firewall.

I am wondering if you are really using some type of NAT traversal, because if you are, wouldn't the client be sourcing its packets from some port besides udp500?

0 Helpful

emoses
Level 1
Level 1
In response to ma4d

‎06-17-2005 06:44 AM

VPN Client is using NAT-T. I've setup isakmp nat-traversal on the firewall.

should i setup a static pat to limit the outside address to port 500... such as

static (inside, outside) udp outsideip 500 insideip 500 netmask 255.255.255.255 0 0

Thanks,

E

0 Helpful

ma4d
Level 1
Level 1
In response to emoses

‎06-17-2005 10:30 AM

If you are using UDP NAT traversal on the VPN client, it connects to the concentrator first on UDP 500, which is covered in your static. It then needs to connect to UDP 4500, which you don't have a static for. Since you can't translate both inside ports (500 and 4500) to the same outside port (15), you will need two statics.

try:

static (inside,outside) udp outsideip 15 insideip 500 netmask 255.255.255.255

static (inside,outside) udp outsideip 16 insideip 4500 netmask 255.255.255.255

0 Helpful
Customers Also Viewed These Support Documents