cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
341
Views
0
Helpful
3
Replies

VPN Client Through PIX to another PIX

ricksrada
Level 1
Level 1

I am having an issue with a newly installed PIX 501. Everything has been working fine until an employee returned to work from a long illness. He uses the Cisco VPN client to connect to another site. Prior to the installation of the 501 there was a Windows 98 proxy server in place for Internet connectivity.

The problem now is that when he tries to connect to the other site, I show he has established the connection on my PIX but he is not receiving anything back fron the remote PIX and they are not showing him connected.

There must be something I am overlooking but I can't tell what it is. I have even opened up my PIX to all IP traffic from the remote site with no success.

Is it just that the VPN Client cannot go through one PIX to connect to another?

Help!!!!!

3 Replies 3

sstudsdahl
Level 4
Level 4

It is possible to establish a VPN connection through one PIX to another. The PIX closest to the client has to be setup to translate the client IP address into a different address. The remote PIX needs to be running PIX OS 6.3 and also has to have the command isakmp nat-traversal added to the configuration, which is absent by default. The combination of these two things allow the remote PIX to detect that address translation is in use and switch to encapsulating the IPSec packets into UDP.

Steve

Steve,

I have NAT setup up on my side, but a look at their config does not show the isakmp nat-traversal command. I will have them add it and test the connection again.

Thanks,

Rick

Steve,

I got them to change the config on the remote site and the client is now working fine.

Thanks,

Rick