VPN-client behind a Pix 515

Discussion in 'Cisco' started by Christoph Gartmann, Apr 2, 2008.

  1. Hello,

    from within our LAN we would like to connect to some remote destination using
    Cisco's VPN-client software (latest version). Our LAN uses non-routed
    addresses, thus the Pix (software 7.2(3)) does NAT/PAT. On the pix we have
    "crypto isakmp nat-traversal 20" and "sysopt connection permit-vpn".
    Usually after a reboot of the Pix the client is able to establish a connection
    and things are fine. But after a few hours things are somehow changing.
    Whenever the client tries to establish a connection, the password prompt
    appears. But soon after the password has been entered the connection closes.
    Thus, what could be wrong here?

    Regards,
    Christoph Gartmann

    --
    Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    Immunbiologie
    Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    D-79011 Freiburg, Germany
    http://www.immunbio.mpg.de/home/menue.html
    Christoph Gartmann, Apr 2, 2008
    #1
    1. Advertising

  2. Since you can make the connection once I'm not sure this will help, though
    the times that we've had customers that want to VPN back to their
    mothership, we've had the add the Following in out ACL_outside Access List:

    access-list acl_outside extended permit gre host <remote VPN Server> any
    access-list acl_outside extended permit esp host <remote VPN Server> any

    There are some remote end initiated packets that come back that need to be
    let in.

    I thought that the
    "crypto isakmp nat-traversal 20" and "sysopt connection permit-vpn" were
    for Configuring VPN into the PIX, not out of the PIX.

    I've seen on some of the Linksys/Dlink routers that will only allow one
    outbound VPN connection at a time. I didn't think had that issue. Though we
    use mostly NAT and not PAT, where as all of the Linksys/Dlink routers use
    PAT (even though they say its NAT)

    Scott<-



    "Christoph Gartmann" <> wrote in message
    news:ft03pt$9c1$...
    > Hello,
    >
    > from within our LAN we would like to connect to some remote destination
    > using
    > Cisco's VPN-client software (latest version). Our LAN uses non-routed
    > addresses, thus the Pix (software 7.2(3)) does NAT/PAT. On the pix we have
    > "crypto isakmp nat-traversal 20" and "sysopt connection permit-vpn".
    > Usually after a reboot of the Pix the client is able to establish a
    > connection
    > and things are fine. But after a few hours things are somehow changing.
    > Whenever the client tries to establish a connection, the password prompt
    > appears. But soon after the password has been entered the connection
    > closes.
    > Thus, what could be wrong here?
    >
    > Regards,
    > Christoph Gartmann
    >
    > --
    > Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452
    > Immunbiologie
    > Postfach 1169 Internet: gartmann@immunbio dot mpg dot de
    > D-79011 Freiburg, Germany
    > http://www.immunbio.mpg.de/home/menue.html
    Scott Townsend, Apr 2, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. J. Bias
    Replies:
    3
    Views:
    3,242
    J. Bias
    May 3, 2004
  2. Corbin O'Reilly
    Replies:
    2
    Views:
    3,137
    Corbin O'Reilly
    May 26, 2004
  3. Al
    Replies:
    0
    Views:
    5,195
  4. Stephen M
    Replies:
    1
    Views:
    632
    mcaissie
    Nov 14, 2006
  5. D K
    Replies:
    4
    Views:
    458
Loading...

Share This Page