Cisco VPN through a PIX 501 to another PIX?

Discussion in 'Cisco' started by Andrew J Instone-Cowie, Jan 20, 2004.

  1. I've been Googling this problem for about an hour, and it looks like
    it's an old chestnut of a question, but I'm getting no nearer a
    solution, and am rapidly losing my hair!

    The wife's work have put in a PIX (model and software versions
    unknown, but probably nothing fancy) to allow remote workers to
    connect in. We have a PIX 501 between the home network and the
    Internet router.

    So we have:
    Win2K PC, Cisco VPN Client (4.0.3(A)) --> PIX 501 (6.3(1)) --> Router
    --> Internet --> Other PIX --> Internal Hosts

    It's the usual story that if I plug the PC directly into the Router,
    all is fine - I get an IPSec connection established and can ping the
    IP addresses of the internal hosts.

    If I plug the router into the PIX 501, I still get the IPSec session
    established (and still get an IP address and DNS addresses allocated
    from the Other PIX), but I can't ping any of the internal hosts. The
    VPN Client tells me that it has sent a few kB, but received zero
    bytes. Winding up the logging on the client and debugging the packets
    on the 501 show that there is some kind of exchange of packets going
    on (keepalives?).

    The VPN client is configured for Transparent Tunnelling ("IPSec over
    UDP (NAT/PAT)"), and I seem to recall somewhere that IPSec over TCP is
    not an option for the Other (VPN Gateway) PIX. Our PIX 501 is doing
    NAT only (not PAT).

    I've tried "fixup prot esp-ike" and/or "isakmp nat-traversal" on my
    PIX 501, but singly or together they give no improvement. Is there
    something that needs to be done on the Other PIX?

    Thoroughly confused...
    Andrew
     
    Andrew J Instone-Cowie, Jan 20, 2004
    #1
    1. Advertisements

  2. Andrew J Instone-Cowie

    Jo Knight Guest

    Yes, they will need to have NAT Traversal enabled on the PIX at their end.

    isakmp nat-traversal 20

    Jo
     
    Jo Knight, Jan 20, 2004
    #2
    1. Advertisements

  3. Thanks, I'll see if I get them to enable that. Presumably I would need
    to set the esp-ike fixup on my PIX, but not NAT Traversal?

    Regards
    Andrew
     
    Andrew J Instone-Cowie, Jan 21, 2004
    #3
  4. Andrew J Instone-Cowie

    Jo Knight Guest

    Thanks, I'll see if I get them to enable that. Presumably I would need
    On my PIX I havent enabled any fixups and it works fine connecting to
    various other PIXs using the Cisco Client.
     
    Jo Knight, Jan 21, 2004
    #4
  5. Andrew J Instone-Cowie

    Atif Sajid Guest

    I would suggest on your home PIX open the IP protocol 50/51 and UDP
    port 500 for ISAKMP for inbound traffic (use access-list). That
    should allow your VPN connection to work fine.
     
    Atif Sajid, Jan 21, 2004
    #5
  6. Thanks, I'll see what they say about the config.

    Regards
    Andrew
     
    Andrew J Instone-Cowie, Jan 22, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.