11-25-2003 10:52 PM
Hello,
I'm using a cisco 1721 router to connect to the internet with one public ip address.
Between the LAN and the router is a Cisco Pix 515. On the the pix i use private addresses. (inside and outside).
I configured the pix with the vpn wizzard for remote access.
The vpn connection is working fine if i have a direct connection to the internet on my client site. (No nat enabled on vpn client)
I have configured the 1721 for ipsec passthrough.(ESP,UDP)
When i'm connecting from a site behind a firewall , i can not connect when i enable nat on the vpn client. If i disable nat i can connect but i can not ping or connect to a server on the remote site.
I've configured nat traversal on the pix.
Is there someone who have might suggestions for me?
12-01-2003 02:32 PM
I'm not clear about your topology and what you are trying to do. If you are trying to configure VPN client to PIX vpn, wiith a NAT device in-between, you should enable IPSec over UDP. Also, if the tunnel setup is fine but there are problems browsing local resources, you shold see http://www.cisco.com/warp/customer/471/vpn-net-hood.html
12-02-2003 01:41 AM
The problem is that, when nat is enabled on the vpn client i can not establish a vpn session to the pix.
Between is a cisco 1721 router with ipsec passthrough.
12-07-2003 09:03 PM
Hi
From the problem description it look like this is your topology what you are trying to resolved
VPNclient------Internet-----1721router-----PIX----LAN.
If this is the topology , is the router doing any kind of PAT?
Let me know if you have any queries and please provide more information .
Deepali
12-08-2003 12:05 AM
Hi
Yes the following is in the configuration of the router:
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static udp x.x.x.x 500 interface Dialer0 500
ip nat inside source static esp x.x.x.x interface Dialer0
Kind regards,
Edwin
12-08-2003 12:38 AM
Hi,
You may find the following post from the 'Ask the Expert' with Glenn Fullager useful reading:
Nov 4, 2003, 3:27pm PST
Since the PIX is a layer 3 device, you now have the problem of creating another subnet in between the router and PIX. Basically you have to decide where you're going to NAT now, probably best on the router.
So let's turn off NAT in the PIX with:
clear nat
clear global
nat (inside) 0 access-list nonat
access-list nonat permit ip 192.168.1.0 255.255.255.0 any
clear xlate
We need to create a small two-host network in between the router and the PIX now, so on the PIX do:
ip address outside 10.1.1.1 255.255.255.252
route outside 0.0.0.0 0.0.0.0 10.1.1.2
You can then clear your statics out cause the "nat 0" will replace that:
clear static
and since the router is now going to be doing the NAT, we need to change your access-list:
no access-list 101
access-list 101 permit tcp any host 192.168.1.102 eq www
access-list 101 permit tcp any host 192.168.1.102 eq smtp
access-list 101 permit tcp any host 192.168.1.102 eq ftp
access-list 101 permit tcp any host 192.168.1.102 eq 8080
access-list 101 permit tcp any host 192.168.1.102 eq pop3
access-group 101 in interface outside
On the router now, we change the inside interface address and add a route to the 192.168.1.0 network with:
interface faste0
ip address 10.1.1.2 255.255.255.252
ip route 192.168.1.0 255.255.255.0 10.1.1.1
Now on the router set up the NAT'ing:
ip nat inside source static tcp 192.168.1.102 80 interface dialer1 80
ip nat inside source static tcp 192.168.1.102 8080 interface dialer1 8080
ip nat inside source static tcp 192.168.1.102 25 interface dialer1 25
ip nat inside source static tcp 192.168.1.102 ftp interface dialer1 ftp
ip nat inside source static tcp 192.168.1.102 pop3 interface dialer1 pop3
allow any others through that you need, making sure you add a corresponding ACL on the PIX for it
That should be pretty close to what you want. You may need to tweak it a bit and I haven't tested this, but I have set it up a few times before. Basically the routerdoes the NAT'ing now, and NAT's everything to the 192.168.1.102 address as before. This then gets sent through to the PIX across the 10.1.1.0/30 subnet and the PIX just allows it through based on its access-list and "nat 0" statement.
Hope it helps a little...
12-08-2003 01:01 AM
Sorry,
But i have already nat on the router and no nat on the pix.
So this is not my problem. The problem is that the vpn client can not connect to the pix when i am using nat.
12-08-2003 08:31 PM
Hi
Thanks for the information , Since your clients are behind the router and they are connecting to a PIX, itis a NAT-T issue.
What is NAT-T when you are using IPSec:
IPSec over TCP/UDP (NAT Transparency) was formed to get over the need to have one-to-one translation. What it does it encapsulates the ESP packet inside TCP or UDP. Since TCP and UDP have no problems going through PAT (because they have ports) then this allows ESP to go through PAT
too, since ESP will be riding inside TCP/UDP. However, the other side of the VPN tunnel needs to understand that it should be expecting ESP traffic encapsulated inside something else or this won't work. So whatever device you are connecting to at the remote end will need to understand IPSec over TCP/UDP.
Cisco Router code 12.2(13)T allows IPSec over UDP but not TCP. And the PIX OS 6.3 and higher supports IPSec over UDP.
Cisco VPN client 3.6 and higher supports NAT-T.
NAT-T can also be resolved by doing one-to-one static translation.
Let me know if you have any queries.
Deepali
12-10-2003 02:24 AM
Hi,
I am using the following code on the router:
flash:c1700-k8sy7-mz.122-15.T9.bin
The pix is using 6.3 code.
So I think it´s not a ios issue.
12-10-2003 08:44 PM
there are 3 protocols/ports to be opened.
esp
udp 50
udp 4500
12-10-2003 10:01 PM
Hi
Please add this command on the PIX:
isakmp nat-traversal 20
Please let me know if this helps.
Thanks,
Deepali
12-11-2003 12:03 AM
Hi,
I already did dat.
A collegue of my founnd the solution.
The problem was on the router.
There are translations for udp 500 and esp, but wwhen you want to use nat-traversal, you have to add a translation for udp 4500 .
Thanks for helping me out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide