Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Vpn host denies Nat'ed address

Status
Not open for further replies.
J00kie

J00kie

Technical User
Jun 4, 2004
2
CA
Seams like BCE Emergis doesn't like vpn connections from nat'ed address.
I have an internal machines using builtin W2k3 vpn client to pass through to specific other companies. (working with basic entries/ pptp udp 500 ike ah esp)
BCE denies on user Verification from internal machine cause it see's "External Address (the Nat'ed translation)" not "internal" when trying to authenticate.
I guess the VPN client is passing its internal address to BCE Host and thus refuses verification because it sees a different nat address.
Any thing would help.
So far i added udp500 50/51 tcp 45000 tcp 10000 264out 256out still nothing.
 
Sort by date Sort by votes
sometimes using udp helps but it looks like you were doing this already.

another way around this is if you have any extra public IP's available you can do a static NAT translation for your PC on the inside network going out with the vpn client.

I don't know how many internal users have vpn clients going out though so if it's more than a few this may not help as you most likely don't own your own class c of public addresses!
 
Upvote 0 Downvote
Additional info
pix 6.3(3) What i've added
* means others scenarios to other hosts work with only these entries no others needed.
extra fixup protocol pptp 1723
extra access-list incoming-list permit tcp any host 211.my-pubIP eq isakmp
* access-list incoming-list permit gre host 199.External host 211.my-pubIP

* access-list from-inside permit gre host 192.internal host 199.External
* access-list from-inside permit tcp host 192.internal host 199.External eq pptp
extra access-list from-inside permit udp host 192.internal host 199.External eq isakmp
extra access-list from-inside permit ip host 192.internal any
* static (inside,outside) 211.my-pubIP 192.internal netmask 255.255.255.255 0 0


"Report LOG System0.Info 192.logger %PIX-6-302017: Built outbound GRE connection 11366769 from inside:192.internalmachine (211mypubIP) to outside:199.External/1723+16384+4855 (199.External/1723+16384+4855)"
I get as far as "verify username pass" then disconnects. (i confirmed username/pass with host)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
297
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
365
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top