[VPN] Re: Cisco VPN client connecting through NAT

[Dawson, Dana]

You need to enable the "nat-traversal" feature in the PIX with the "isakmp nat-traversal" command.  This will allow the PIX to do automatic NAT detection and encapsulate the ESP traffic in a UDP packet on port 4500, so you may also have to open that port (UDD/4500) in your firewall.  NAT Traversal is a proposed standard and is a very good thing.  It's on by default in newer Cisco IOS routers, but for some reason it's not on by default in the PIX and the VPN 3000 series - go figure.  This should fix the "one user at a time" issue, which is usually a limitation on the firewall/NAT device that the users are behind and not the PIX terminating the VPN sessions, and the NAT-T is the preferred work around.

HTH - Good luck!

Dana

-- 
Dana J. Dawson              Dana.Dawson at qwest.com
Sr. Staff Engineer          CCIE #1937
Qwest Communications
600 Stinson Blvd., Suite 1S
Minneapolis  MN  55413-2620

"Hard is where the money is."



-----Original Message-----
From: vpn-bounces+djdawso=qwest.com at lists.shmoo.com on behalf of Venkat Kaushik
Sent: Tue 11/22/2005 10:47 AM
To: vpn at lists.shmoo.com
Subject: [VPN] Cisco VPN client connecting through NAT
 
Hello everyone

 

Two weeks ago we changed our Firewall from checkpoint to cisco Pix ( we have
PIX 515E ver 6.3)  we are having problem  with VPN .

 

We are using cisco vpn client 4.X ( windows xp )  connecting through linux
firewall( ip tables)  with NAT   this client side configuration was working
fine up until we changed to PIX from Checkpoint firewall. Only one client
can connect at a time I need some help 

 

Venkat.