VPN Client Connect to PIX FW but cannot browse internal network..

Discussion in 'Cisco' started by toureg69, Dec 16, 2006.

  1. toureg69

    toureg69 Guest

    Having a problem connecting to any internal servers once I establish a
    VPN connection through the PIX 506e firewall. I was trying to use IAS
    server instead of creating a bunch of vpngroups.


    Internal Network
    (IAS is on the internal network)

    Please see below's config. I know it's a routing issue but cannot
    figure it out. Any information is appreciated. Thanks!

    PIX# sho run

    access-list 103 permit ip

    ip local pool ippool 10.XX.XX.XXX-10.XX.XX.XXX

    global (outside) 1 interface

    nat (inside) 0 access-list 103
    nat (inside) 1 0 0

    access-group 101 in interface outside

    route outside 1

    aaa-server radius-server protocol radius
    aaa-server radius-server (inside) host cisco123 timeout 10

    sysopt connection permit-ipsec

    crypto ipsec transform-set testset esp-3des esp-md5-hmac
    crypto dynamic-map testmap 10 set transform-set testset
    crypto map testconn 10 ipsec-isakmp dynamic testmap
    crypto map testconn client authentication radius-server
    crypto map testconn interface outside

    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    vpngroup testias address-pool ippool
    vpngroup testias dns-server DNS1 DNS2
    vpngroup testias wins-server WINS1
    vpngroup testias default-domain DOMAIN1
    vpngroup testias idle-time 1800
    vpngroup testias password
    toureg69, Dec 16, 2006
    1. Advertisements

  2. toureg69

    Brian V Guest

    isakmp nat-traversal 20
    Brian V, Dec 16, 2006
    1. Advertisements

  3. toureg69

    toureg69 Guest

    Thanks so much Brian!! You are the man!!

    What does this command do:

    "isakmp nat-traversal 20 "

    Please explain this to me.
    toureg69, Dec 16, 2006
  4. toureg69

    Brian V Guest

    In short, it allows a device that is behind a NAT/PAT IP address to pass
    traffic thru the firewall.

    The official Cisco answer:
    isakmp nat-traversal

    Network Address Translation (NAT), including Port Address Translation (PAT),
    is used in many networks where IPSec is also used, but there are a number of
    incompatibilities that prevent IPSec packets from successfully traversing
    NAT devices. NAT traversal enables ESP packets to pass through one or more
    NAT devices.

    The firewall supports NAT traversal as described by Version 2 and Version 3
    of the IETF "UDP Encapsulation of IPsec Packets" draft, available at
    http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is
    supported for both dynamic and static crypto maps. NAT traversal is disabled
    by default on the firewall.

    To enable NAT traversal, check that ISAKMP is enabled (you can enable it
    with the isakmp enable if_name command) and then use the isakmp
    nat-traversal [natkeepalive] command. (This command appears in the
    configuration if both ISAKMP is enabled and NAT traversal is enabled.) If
    you have enabled NAT traversal, you can disable it with the no isakmp
    nat-traversal command. Valid values for natkeepalive are from 10 to 3600
    seconds. The default is 20 seconds.

    If needed, the show isakmp sa detail command assists in debugging NAT
    Brian V, Dec 17, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.