VPN on PIX can't work with vpn client behind nat

Discussion in 'Cisco' started by Tomi, May 10, 2005.

  1. Tomi

    Tomi Guest

    My network look's like this :


    LAN <-->PIX(VPN)<-->INTERNET<-->SERVER(linux)<-->comp_VPN_CLIENT


    I try to create to vpn tunel from one computer on LAN to comp_VPN_CLIENT
    and use PIX as vpn serwer .
    When I try to connect from public ip without SERVER(linux), and my
    network look's like this :
    LAN <-->PIX(VPN)<-->INTERNET<-->comp_VPN_CLIENT
    ewerything is good, I can connect to host 10.10.0.5 without any problems.

    , it's my config :

    access-list vpn permit ip 10.10.0.5 255.255.255.255 192.168.0.8.
    255.255.255.255

    ip local pool ePoll 192.168.0.9

    nat (inside) 0 access-list vpn
    sysopt connection permit-ipsec

    crypto ipsec transform-set transSetE esp-aes-256 esp-sha-hmac

    crypto dynamic-map dynMapE 20 set transform-set transSetE

    crypto map mapaE 20 ipsec-isakmp dynamic dynMapE
    crypto map mapaE interface outside

    isakmp identity address

    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption aes-256
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400

    vpngroup e address-pool ePoll
    vpngroup e dns-server A.B.C.D
    vpngroup e default-domain domain.pl
    vpngroup e split-tunnel vpn
    vpngroup e idle-time 1800
    vpngroup e password *****

    what is wrong , or I forgot?

    Sory for my english :)
     
    Tomi, May 10, 2005
    #1
    1. Advertising

  2. Tomi

    Guest

    you need to split your ACL vpn. you cannot have the same acl for NAT 0
    statement, and also use it for split-tunnel. Also you are missing the
    "isakmp nat-traversal" command.
     
    , May 10, 2005
    #2
    1. Advertising

  3. In article <>,
    <> wrote:
    :you need to split your ACL vpn. you cannot have the same acl for NAT 0
    :statement, and also use it for split-tunnel.

    Although it is usually a bad idea to use the same ACL for two purposes,
    it is considered to be valid as long as one of the purposes is not
    as an access-group . There are known bugs in some versions with
    sharing a nat 0 access-list with a crypto map access-list, but
    I'm not -aware- of any restriction on sharing nat 0 access-list
    with a split-tunnel usage. Would you have a citation or bug number
    for this restriction?


    :Also you are missing the "isakmp nat-traversal" command.

    If the OP's version supports that. Unfortunately the OP did not
    say which software version is involved.

    With the information we have been given, we can't be sure that the
    Linux system is forwarding packets at all, or that it is forwarding
    all necessary protocols. I would ask the OP: if you turn off the
    VPN client, and if you configure the PIX with the 'icmp' command
    to accept echo on the outside interface, then can you ping through
    to the remote PIX through the Linux system? In other words, isolate
    whether the packets are getting through at all.
    --
    "Mathematics? I speak it like a native." -- Spike Milligan
     
    Walter Roberson, May 10, 2005
    #3
  4. Tomi

    Tomi Guest


    > VPN client, and if you configure the PIX with the 'icmp' command
    > to accept echo on the outside interface, then can you ping through
    > to the remote PIX through the Linux system? In other words, isolate
    > whether the packets are getting through at all.

    It's ok , I cam ping linux from lan behind PIX.
    I use isakmp nat-traversal
    But still I can't connect to host
    How shuld I split ACL. I read some materials from cisco www and it is
    wrote to do it in this way (nat 0 and split-tunnel use one ACL)
     
    Tomi, May 11, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Gorsuch

    Pix-to-Pix VPN - BOTH BOXES BEHIND NAT!!!

    Michael Gorsuch, Oct 23, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,693
    Walter Roberson
    Oct 24, 2003
  2. Oliver
    Replies:
    4
    Views:
    3,426
    username
    Nov 16, 2003
  3. Corbin O'Reilly
    Replies:
    2
    Views:
    3,248
    Corbin O'Reilly
    May 26, 2004
  4. D K
    Replies:
    4
    Views:
    503
  5. cisco
    Replies:
    3
    Views:
    396
    Martin Bilgrav
    Feb 21, 2007
Loading...

Share This Page