[VPN] Re: Cisco VPN client connecting through NAT
Dana.Dawson at qwest.com
Tue Nov 22 12:50:04 EST 2005
You need to enable the "nat-traversal" feature in the PIX with the "isakmp nat-traversal" command. This will allow the PIX to do automatic NAT detection and encapsulate the ESP traffic in a UDP packet on port 4500, so you may also have to open that port (UDD/4500) in your firewall. NAT Traversal is a proposed standard and is a very good thing. It's on by default in newer Cisco IOS routers, but for some reason it's not on by default in the PIX and the VPN 3000 series - go figure. This should fix the "one user at a time" issue, which is usually a limitation on the firewall/NAT device that the users are behind and not the PIX terminating the VPN sessions, and the NAT-T is the preferred work around.
HTH - Good luck!
Dana J. Dawson Dana.Dawson at qwest.com
Sr. Staff Engineer CCIE #1937
600 Stinson Blvd., Suite 1S
Minneapolis MN 55413-2620
"Hard is where the money is."
From: vpn-bounces+djdawso=qwest.com at lists.shmoo.com on behalf of Venkat Kaushik
Sent: Tue 11/22/2005 10:47 AM
To: vpn at lists.shmoo.com
Subject: [VPN] Cisco VPN client connecting through NAT
Two weeks ago we changed our Firewall from checkpoint to cisco Pix ( we have
PIX 515E ver 6.3) we are having problem with VPN .
We are using cisco vpn client 4.X ( windows xp ) connecting through linux
firewall( ip tables) with NAT this client side configuration was working
fine up until we changed to PIX from Checkpoint firewall. Only one client
can connect at a time I need some help
More information about the VPN