Troubles with NAT and VPN

[LeoFender]

Hi all VPN guru's,
I'm facing some problems using Cisco VPN Client (Version 3.6.4) when try to connect to a Cisco Secure PIX (Version 6.3).

If I try to connect from a public IP address, everything is fine. But if I try to connect from a NATted lan (let's say 10.0.0.0/8), even if the Enable Transparent Tunneling flag is checked, I got a "Remote peer is no longer responding." message.

Any ideas?

TIA

Leo

 

[danr19]

Hi,

Have you enabled Nat traversal on the PIX?
If not, try this command: "isakmp nat-traversal"
You should get the latest version of VPN Client (4.0.X)

Good luck,

danr19

 

[LeoFender]

Hi danr19,

the isakmp command was already implemented on the firewall.

I've even upgraded my VPN Client, but works (better say doesn't work) in the same way.

Looking deeper at this issue, I realized that the ISP's Internet router has some ACL enable.

This is the running router configuration for the outside IP address of the firewall:

permit tcp any host xxx.xxx.xxx.xxx eq 10000
permit udp any eq 500 host xxx.xxx.xxx.xxx eq 500
permit 50 any host xxx.xxx.xxx.xxx
permit 51 any host xxx.xxx.xxx.xxx

Is this enough?
Do I have to ask my provider to open something more?

Leo

 

[danr19]

Hi Leo,

Which kind of device does NAT?
With some broadband routers like USRobotics and Linksys it works fine, but no with other like Micronet.

Cisco says: "We recommend that you grant permission for ICMP unreachable message type 3. Denying ICMP
unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic."

Best regards,

danr19