06-05-2007 10:14 AM
I have a PIX 515e running 6.3(5) with multiple site-to-site vpns configured and all is well. However when a user inside my LAN tries to launch a vpn client, whether it is Cisco IPSec or MS SSL, in order to connect to a client (these clients are not part of any of our site-to-site tunnels) they cannot get a connection.
My setup is lan ->pix->2691 router-> internet.
If I put my laptop in between the pix and the router with a public address I can get to any of these clients without any problems.
I have NAT-T enabled as well as sysopt connection permit-ipsec.
With Ethereal I see traffic going out but not coming back in.
Any help?
Thanks,
Paul
06-05-2007 10:05 PM
did you permit UDP ports 500 and 4500 on the PIX???
Also check that in your VPN client (transport tab) is enabled transport tunneling (IPsec over UDP)
M.
06-06-2007 07:45 AM
I did explicity permit those ports, though I never see them take hits in the access-list.
I found out that certain client VPN connections do work from inside the LAN here. It appears that the one specific client IPSec VPN problem is with a client who is not using NAT. I cannot turn off NAT-T here as I have site-to-site tunnels configured. Is there a way around this? Also, I still have issues with MS SSL VPNs.
Thanks,
Paul
06-06-2007 08:53 AM
I just figured out how to do it - I had to use a static NAT statement so that I could bypass PAT and not be affected by NAT-T.
access-list VPNACCESS permit ip mylocalip 255.255.255.255 remoteclassB 255.255.0.0
static (inside,outside) 69.xx.yy.zzz access-list VPNACCESS
P
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide