05-13-2005 03:54 AM - edited 02-21-2020 01:46 PM
Hi,
I seem to have baffled TAC with this question:
I have a client who has two PIX 501 firewalls. One in DC (pix-a) and one in San Diego (pix-b). They are both connected via a static IPSec VPN. Works well, no problems there. I've also configured both of them to accept connections from Cisco VPN Clients for those folks who are on the road a lot. This also seems to work fine in most situations.
However, when attempting to connect to either of these two firewalls with the Cisco VPN Client when I am behind another PIX (like at a third site not attached to either pix-a or pix-b by any means of transport), the tunnel establishes, but I cannot pass traffic to the remote LAN. At first I thought it was due to NAT on my home PIX (pix-c). Then I tried at work, from behind a PIX which does not use NAT (pix-d) and got the same results. I should mention that the IPSec passthrough is enabled on both pix-c and pix-d.
The VPN connection establishes just fine from outside of either pix-c or pix-d. I can connect and ping perfectly.
I thought this was going to be a simple "oh yeah, turn this on" or "this isn't supported", but the TAC engineer who picked up my case just doesn't seem to grasp the concept, nor understand how to read my visio .gif image of four PIX firewalls drawn in the exact scenario described above.
thanks,
evt
Solved! Go to Solution.
05-13-2005 02:10 PM
What IOS version do you have on pix-a, pix-b?
What transform-set do you use for vpn-clients?
In any case you must enable NAT traversal on pix-a, pix-b.
05-13-2005 08:32 AM
Evt,
Have you got NAT Traversal enabled?
> isakmp nat-traversal
Jay
05-13-2005 09:20 AM
YES, Jay is right sounds like NAT-TRAVERSAL IS NOT ENABLED.
More info:
Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.
The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.
To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.
sincerely
Patrick
05-13-2005 09:50 AM
Actually, I do have NAT traversal enabled on pix-c and pix-d (my transit PIXes). In addition, NAT is not enabled on pix-d, so I'm not sure how NAT traversal will affect this, if at all.
05-13-2005 02:10 PM
What IOS version do you have on pix-a, pix-b?
What transform-set do you use for vpn-clients?
In any case you must enable NAT traversal on pix-a, pix-b.
05-14-2005 07:11 PM
This fixed it. I did not realize that nat-traversal had to be enabled on the SD pix and the DC pix. I was only enabling it on my transit pixes.
Thanks muchly for the info.
05-14-2005 04:32 PM
ok, you are behind a pix. you vpn to the san diego pix. is the problem that while you can access san diego resources, you cannot access dc resources? this is the way pix os < 7.0 works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide