Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
3
Replies

VPN connection from VPN client behind PIX to other PIX

Go to solution
NUNSWOR
Level 1
Level 1

‎09-10-2004 01:34 AM

I encounter the following problem:

I wanted to establish the VPN connection from VPN client to PIX over GPRS/3G, but I didn’t have any luck with PIX IOS version 6.2(2).

So I upgraded PIX to 6.3(4) to use NAT-T and VPN client to version 4.0.5

I configured PIX with NAT-T(isakmp nat-traversal 20), but I still didn't have luck, it would not go through 1st phase. As soon as I took isakmp nat-traversal off it started to work, and we could connect to our servers.

Now I want to connect from VPN client behind PIX to our client's network PIX. VPN connection is establishing no problem, but we can't access servers. If I configure NAT-T on both PIX,or only on customer's PIX, or only on our PIX, no VPN connection at all.

If I establish connection from VPN client behind PIX to client's network and try to PING DNS server for example, on our PIX I have following error:

305006: portmap translation creation failed for protocol 50 src inside:10.10.1.x dst outside:194.x.x.x

194.x.x.x – is our customer’s PIX IP address

I understand that somewhere access-list missing, but I can't figure it out.

Of course I can configure VPN site-to-site, but we have few customers and we support their servers, so it would be nice just establish VPN connection behind PIX and connect customer’s server, instead of first dial-in and then establish VPN connection.

Can you, please, help?

Thank you in advan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmia
Level 7
Level 7

‎09-10-2004 03:40 AM

The following was taken from ‘ASK THE EXPERT DISCUSSION FORUM’ with Glenn Fullage of Cisco.

I’ve cut and pasted here for you to read, I believe you are facing the problem mentioned below:

Question:

Hi Glenn,

Is the following possible?

I have vpn client on my PC, my LAN is protected by a pix. I can initiate the vpn client to connect to remote pix. The vpn client authenticates and the remote pix issues my PC with the appropriate assigned ip address from its ip pool.

The problem I am facing is that, I can not ping anything on the other side of the remote pix from my PC which is behind my pix. Can you please guide me to what I need to do for this to work, if at all possible?

My PC has a static ip address assigned with the appropriate default gateway pointing to my pix’s inside interface.

Thanks very much for any help provided in advance.

Reply from Glenn:

First of all make sure the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it's probably that the PIX is doing PAT, which generally breaks IPSec. Add the following command onto your PIX that the VPN client is behind:

fixup protocol esp-ike

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for details.

If that still has issues, you can enable NAT-T on the remote PIX that is terminating the VPN, the client and the remote PIX will then encapsulate all the IPSec packets into UDP which your PIX will be able to PA correctly. Add the following command on the remote PIX:

isakmp nat-traversal

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for details.

NAT-T is an IETF standard for encapsulation of IPSec packets inot UDP packets.

IPSec ESP (the protocol that your encrypted data packets use) is an IP protocol, in that it sits right on top of IP, rather than being a TCP or UDP protocol. For this reason it has no TCP/UDP port number.

A lot of devices that do Port Address Translation (PAT) rely on a unique TCP/UDP source port number to do the PAT'ing. Because all traffic is PAT'd to the same source address, there needs to be some uniqueness about each session, and most devices use the TCP/UDP source port number for that. Because IPSec doesn't have one, a lot of PAT devices fail to PAT it correctly, or at all, and the data transfer fails.

When NAT-T is enabled on both end devices, they will determine during the tunnel build that there is a PAT/NAT device in between them, and if they detect that there is, they automatically encapsulate all the IPSec packets into UDP packets with a port number of 4500. Because there's now a port number, PAT devices are able to PAT it correctly and traffic passes normally.

Hope that helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jmia
Level 7
Level 7

‎09-10-2004 03:40 AM

The following was taken from ‘ASK THE EXPERT DISCUSSION FORUM’ with Glenn Fullage of Cisco.

I’ve cut and pasted here for you to read, I believe you are facing the problem mentioned below:

Question:

Hi Glenn,

Is the following possible?

I have vpn client on my PC, my LAN is protected by a pix. I can initiate the vpn client to connect to remote pix. The vpn client authenticates and the remote pix issues my PC with the appropriate assigned ip address from its ip pool.

The problem I am facing is that, I can not ping anything on the other side of the remote pix from my PC which is behind my pix. Can you please guide me to what I need to do for this to work, if at all possible?

My PC has a static ip address assigned with the appropriate default gateway pointing to my pix’s inside interface.

Thanks very much for any help provided in advance.

Reply from Glenn:

First of all make sure the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it's probably that the PIX is doing PAT, which generally breaks IPSec. Add the following command onto your PIX that the VPN client is behind:

fixup protocol esp-ike

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for details.

If that still has issues, you can enable NAT-T on the remote PIX that is terminating the VPN, the client and the remote PIX will then encapsulate all the IPSec packets into UDP which your PIX will be able to PA correctly. Add the following command on the remote PIX:

isakmp nat-traversal

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for details.

NAT-T is an IETF standard for encapsulation of IPSec packets inot UDP packets.

IPSec ESP (the protocol that your encrypted data packets use) is an IP protocol, in that it sits right on top of IP, rather than being a TCP or UDP protocol. For this reason it has no TCP/UDP port number.

A lot of devices that do Port Address Translation (PAT) rely on a unique TCP/UDP source port number to do the PAT'ing. Because all traffic is PAT'd to the same source address, there needs to be some uniqueness about each session, and most devices use the TCP/UDP source port number for that. Because IPSec doesn't have one, a lot of PAT devices fail to PAT it correctly, or at all, and the data transfer fails.

When NAT-T is enabled on both end devices, they will determine during the tunnel build that there is a PAT/NAT device in between them, and if they detect that there is, they automatically encapsulate all the IPSec packets into UDP packets with a port number of 4500. Because there's now a port number, PAT devices are able to PAT it correctly and traffic passes normally.

Hope that helps.

0 Helpful

Go to solution
NUNSWOR
Level 1
Level 1
In response to jmia

‎09-13-2004 12:59 AM

Hello,

Thank you for reply, but I did see this message from Glenn and I tried nat-traversal.

1. Remote VPN connection works if I dial-in through modem no problem, I can connect to services.

2. Behind PIX VPN connection can be established, but I can't Ping anything, and my PIX has error that it didn't translate on port 50.

3. I tried isakmp nat-traversal 20, but with this command I can't even establish connection, even if I dial-in through modem.

4. I tried fixup protocol esp-ike, but PIX gave me the following: PAT for ESP cannot be enabled since ISAKMP is enabled. Please correct your configuration and re-issue the command!

So I am back to square 1.

Please, give me any other ideas.

Thank you very much.

0 Helpful

Go to solution
NUNSWOR
Level 1
Level 1
In response to NUNSWOR

‎09-16-2004 01:44 AM

Hello,

Nat-traversal does work.

Problem was in the network setup:

VPN client -- PIX -- Router -- Internet -- Customer router -- Customer PIX -- Customer Network.

On customer route port for NAT-T was closed.

In my case port is 4500.

As soon as I added access rule opening this port - everything started to work.

I hope this message can help other poor soul.

It is shame that there are many open problems without any solutions.

It would be nice if person who started post could give 5 min to update how they get on with their problem.

Kind regards,

Natalie

0 Helpful
Customers Also Viewed These Support Documents