Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ipsec nat-traversal with pix and cisco vpn client

Status
Not open for further replies.
acr

acr

Technical User
Jul 17, 2003
5
AU
Hi there
I know this should be an easy task, but I just can't make it work. I'm trying to get transparent tunnelling working between a pix running 6.3(1) and cisco vpn client 4.0.1.

The client connects just fine, but the transparent tunnel is inactive.

I hope someone can push me in the right direction. I figure I'm just missing something really silly (I'm new to this so please forgive me).

"Enable Transparent Tunnelling" is turned on and set to UPD on the client.

Here's my pix config...

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto map mymap interface dmz1
isakmp enable outside
isakmp enable dmz1
isakmp identity address
isakmp nat-traversal 60
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

 
Sort by date Sort by votes
HI.

> The client connects just fine, but the transparent tunnel is inactive
The use of transparent tunneling is optional at the client, so if will default to standard IPSec if possible (I think..).

How exactly did you test?
What were the exact results?
Try with different Internet connections for the remote client (dial-up,DSL,behind another NAT/firewall etc...)

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Hi yizhar
The transparent tunnel option on the VPN client is turned on, so I figure it would try to negotiate this with the PIX and fall back to ipsec over ESP it it fails.

I have run three tests using different connection methods.
Each test is from a different PC using the Cisco VPN client software.
First is from a PC beind an ADSL router.
Second is from a PC that connects to a dial-in router connected to the DMZ1 interface.
Third test was from a PC that connected to directly to the Internet via a PSTN modem.

The results are the VPN client on the PC makes a successful connection, and I can send/receive to/from the private network just fine. But "Transparent Tunnelling" is set to "Inactive" and if I put any one of the three above tests behind a NAT router, the VPN client is able to send packets, but nothing is received.

Hope this explains things better.
Thanks for any help.
 
Upvote 0 Downvote
HI.

I don't know why it is so, but here are some more ideas:

> so I figure it would try to negotiate this with the PIX and fall back to ipsec over ESP it it fails.
I think that the order is ESP first - but I'm not sure about it.

I would try to also test with different client version like 3.6.3 just to check.

> if I put any one of the three above tests behind a NAT router
What NAT router? Try with different devices.

If you have a spare pix 501 for the test, you can also try to put a client behind it , allow outbound PAT only, and connect it to your firewall (directly or via ISP).

When you find the solution - please share it with us.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
> I would try to also test with different client version like 3.6.3 just to check.
Good idea - I just tried it, but no go. The results are the same.

>> if I put any one of the three above tests behind a NAT router
> What NAT router? Try with different devices.
I have tried the client behind a Cisco 827 and a D-Link (can't remember the model). I've also tried it on a GPRS modem. This connection is also behind NAT, but I'm unsure what devices the telco uses.

> If you have a spare pix 501 for the test, you can also try to put a client behind it , allow outbound PAT only, and connect it to your firewall (directly or via ISP).
That's about the point I'm at. I've tried so many remote scenarios (PC's, connection types etc), I'm convinced the problem is on my PIX. I will try a simple scenario on a test 501 as you suggest.

> When you find the solution - please share it with us.
I'll make sure this thread is the first to know. It's driving me crazy.

Thanks for your suggestions.
 
Upvote 0 Downvote
Try this registry addition on your client:

[HKLM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001

We had to add this in order to get Group Policy to work over VPN
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
722
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
662
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
605
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
163
WhosYourDiffie
WhosYourDiffie
MottoK
  • Locked
  • Question
Cisco ISE blank GUI
Replies
0
Views
507
MottoK
MottoK

Part and Inventory Search

Sponsor

Back
Top