VPN to IOS from behind PAT interface on PIX

ctasher · ‎10-18-2004

Hello...any help appreciated..

I am behing a PAT interface on a PIX, and have an ACL permitting ESP in. I am trying to connect to a 1701 IOS router using VPN. The connection works fine if I do not use PAT, but when using PAT I get the ffg error on the PIX syslog:

%PIX-3-305006: portmap translation creation failed for protocol 50 src dmz:IP_dmz dst outside:IP_out

nat transparency configured on the 1701

CVPN client reports :825 16:35:38.450 10/18/04 Sev=Warning/3 IKE/0xE3000068

Failed to send 192 bytes to IP_out, error = 0xFFFFFFEB

I am prompted for XAuth, but client hangs at 'Negotiating security policies...'

any help?

rgds

Chris

scoclayton · ‎10-18-2004

It does not appear that the "nat transparency" on your 1701 is working. The reason I say that is that your syslog message clearly states that PAT is choking due to an ESP packet. If "nat transparency" were working right, you would see this as a UDP based packet.

A couple of solutions:

1) Fix the "nat transparency" on the 1701 to work right

2) Upgrade to 6.3 code on your PIX (if you are not there already) and enable "fixup protocol esp-ike". This command allows one (and only one) IPSec tunnel though a PIX configured for PAT.

Let me know if any of this is unclear.

Scott

ctasher · ‎10-19-2004

Thanks, that is an alternative. I will re-check the 1701 although I believe in 12.2 IOS this is enabled by default.