Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cisco software vpn client passing through pix 506

Status
Not open for further replies.
otter77

otter77

IS-IT--Management
Feb 1, 2005
1
0
0
US
Hi all - I apologize in advance if this question has already been asked but I wasn't able to specifically find it in the archives...

I have a user on my network behind my pix506 with a static mapping to a public IP address for the purpose of allowing him to make VPN connections using Cisco's software VPN client on Windows 2000 Prof. The object of which is to connect to a vendor's network on a temporary and occasional basis for regular SQL queries against their server.

I setup a static mapping for him using one of our block of IP addresses and it works for normal internet browsing, email, etc... but when I try to establish the tunnel using the vpn software, it acts like it made an proper connection, but then I always get 0 under "packets received" for the connection status and a non-working SQL connection and the inability to ping servers on the vendor's network side.

I'm guessing here that something in my pix is blocking these vpn session return packets. Do any of your experts know if this is the case AND.... more importantly... what lines I could/should add to my pix to fix the problem?

Thanks!!!
 
Sort by date Sort by votes
Is your vpn client using the same network as the inside of the pix? If it is, than you need to change your vpn pool to something else that is not used anywhere in your network.

If you take a look at this sample config, you will notice the vpn pool is different network.

If that is not the case then check your access-list.
 
Upvote 0 Downvote
Yes, make sure you allow traffic from the other network to come in the external interface on the firewall..

access-list Remote_Site_Allow permit ip <network> <mask> <network> <mask>
access-group Remote_Site_Allow in interface outside

I believe that is how you should have it setup.. but remember to substitute the <network> and <mask> functions.

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Instead of configuring a static translation why don't you ask the vendor's site to enable NAT-T on the headend device. The reason for the static translation was NAT devices weren't able to handle the ESP protocol. With NAT-T the ESP is encapsulted on a UDP packet so the static translation is no longer needed. Hope it helps!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
150
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
109
MottoK
MottoK
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
161
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
126
AllenH12
AllenH12

Part and Inventory Search

Sponsor

Back
Top