Solved: VPN Client through a PIX

bleearg13 · ‎05-13-2005

Hi,

I seem to have baffled TAC with this question:

I have a client who has two PIX 501 firewalls. One in DC (pix-a) and one in San Diego (pix-b). They are both connected via a static IPSec VPN. Works well, no problems there. I've also configured both of them to accept connections from Cisco VPN Clients for those folks who are on the road a lot. This also seems to work fine in most situations.

However, when attempting to connect to either of these two firewalls with the Cisco VPN Client when I am behind another PIX (like at a third site not attached to either pix-a or pix-b by any means of transport), the tunnel establishes, but I cannot pass traffic to the remote LAN. At first I thought it was due to NAT on my home PIX (pix-c). Then I tried at work, from behind a PIX which does not use NAT (pix-d) and got the same results. I should mention that the IPSec passthrough is enabled on both pix-c and pix-d.

The VPN connection establishes just fine from outside of either pix-c or pix-d. I can connect and ping perfectly.

I thought this was going to be a simple "oh yeah, turn this on" or "this isn't supported", but the TAC engineer who picked up my case just doesn't seem to grasp the concept, nor understand how to read my visio .gif image of four PIX firewalls drawn in the exact scenario described above.

thanks,

evt

a.alekseev · ‎05-13-2005

What IOS version do you have on pix-a, pix-b?

What transform-set do you use for vpn-clients?

In any case you must enable NAT traversal on pix-a, pix-b.

View solution in original post

jmia · ‎05-13-2005

Evt,

Have you got NAT Traversal enabled?

> isakmp nat-traversal

Jay

Patrick Iseli · ‎05-13-2005

YES, Jay is right sounds like NAT-TRAVERSAL IS NOT ENABLED.

More info:

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.

To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.

See: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

sincerely

Patrick

bleearg13 · ‎05-13-2005

Actually, I do have NAT traversal enabled on pix-c and pix-d (my transit PIXes). In addition, NAT is not enabled on pix-d, so I'm not sure how NAT traversal will affect this, if at all.

a.alekseev · ‎05-13-2005

What IOS version do you have on pix-a, pix-b?

What transform-set do you use for vpn-clients?

In any case you must enable NAT traversal on pix-a, pix-b.

bleearg13 · ‎05-14-2005

This fixed it. I did not realize that nat-traversal had to be enabled on the SD pix and the DC pix. I was only enabling it on my transit pixes.

Thanks muchly for the info.

mostiguy · ‎05-14-2005

ok, you are behind a pix. you vpn to the san diego pix. is the problem that while you can access san diego resources, you cannot access dc resources? this is the way pix os < 7.0 works.