Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 515 and VPN Client 3 behind firewall using PAT 1

Status
Not open for further replies.
danhand

danhand

Technical User
Jun 13, 2001
4
GB
hi hope you have some ideas here.
I have just upgraded our pix to version 6.01 and have got the new vpn client 3 working.
all is fine unless the client when it is located behind a router at home that uses PAT as it only has one ip address. i have checked the box on ther client that says use NAT but i feel that i need to action something on the pix.
do i need to allow port a port for esp ?

any comments will be gratefully recieved
dan
 
Sort by date Sort by votes
We also have a PIX 515 running version 6.01 and we are also using the VPN 3.0 client. I have many users successfully using the VPN 3.0 client behind PAT firewalls, particularly ones on cable modems and DSL. If the VPN client works when it is not behind the client side firewall, I would assume the PIX config is correct.

My guess is the problem is on the client side firewall or between the client side and the PIX. I have hear of some ISPs blocking VPN traffic: ESP, AH, isakmp.

What type of firewall is on the client side?
Does the client work from that location if the firewall is not running or if it is completely open?
 
Upvote 0 Downvote
My set up is a w2k server with nat for the inside network. the outside is a cable modem with dhcp addressing. the firewall is zonealarm pro.
the client is installed on a w2k machine on the inside. if i disconnect the server and place the client machine on the cable modem all works fine.
i also have a collegue who has a zxyle isdn router acting as nat for his internal network. he has a fixed ip address and the client is running on nt4 server.
i am using the vpn group command for authentication on the pix.
when debugging i have noticed that the pix recives the first isakmp request and checks it against the policies when it does the match and responds nothing happens.
i feel it is a checksum/port problem but can't find a way to turn off the checksum.
any ideas
 
Upvote 0 Downvote
Actually, one of the guys I work with had the same problem withe a Windows 2000 server doing NAT. I do not recall how he got around it. I will check with him about his solution. Also, most of my clients have hardware based routers between their clients and their dsl/cable connection.

You can enable debugging (debug crypto ipsec + debug crypto isakmp) on the PIX and see what happens when the client connects. That may reveal more information.

You may also try using something other than Windows 2000 NAT, Winroute will probably do it just fine.

Jason
 
Upvote 0 Downvote
Forgot to mention the client log. On the client there is a Log Viewer application. You can change the filter to high for each item and then start capturing before you connect to the PIX. This will give you details on the connection from the client side.

Jason
 
Upvote 0 Downvote
winroute works fine (bit of tweeking on w2k).
i had been looking at the pix and client logs and could see the initial authentication but one isakmp had finished and ipsec was intoduced it failed. on the pix it got as far as the first "ISAKMP (0): atts are acceptable. Nextpayload is 0".
my next problem is that some users currently have zyxle isdn routers that don't understand protocol 50 so are no good, and don't want a pc as a gateway as "it is much larger and not as pretty". any ideas of isdn routers that may do the job. i have spoken to zyxle and the next frimware for their 202 may have the functionality but doesn't currently do so.
 
Upvote 0 Downvote
I'm glad to hear Winroute is working. I guess Windows 2000 doesn't really support the full range of protocols it should.

About the zyxle routers, I don't have much experience with ISDN routers. I recently purchased a Wireless Cable router from DLink and I am able to run my VPN client behind it just fine. Perhaps they may have an ISDN router that will work. Another approach may be to just install a personal firewall on the home computer and have the ISDN terminate directly into the computer.

Sorry I could not be more help.
 
Upvote 0 Downvote
don't worry your help has been just the stepping stone i needed. i shall look about for am isdn router and feed back to the forum
thanks again
dan
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
664
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
580
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
205
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
714
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
158
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top