[VPN] Re: Cisco VPN Client to PIX Question

Dana J. Dawson Dana.Dawson at qwest.com
Fri Jan 6 16:27:22 EST 2006 

Micha,

Yes, this sounds like a nat-traversal issue.  Add the "isakmp nat- 
traversal 20" command to your config and see if that helps.

Good luck!

Dana

---
Dana J. Dawson                     Dana.Dawson at qwest.com
Sr. Staff Engineer                 CCIE #1937
Qwest Communications               JNCIA-FWV
600 Stinson Blvd., Suite 1S
Minneapolis  MN  55413-2620

On • Friday, Jan 6 • 8:53:23 AM, at 8:53 AM, Michael Arndt wrote:

> Hello *
>
> Problem: Access of a windows rdesktop client over a NAT/PAT VPN
>          does not work when the VPN is build over a nat-ed network
>          The access works when the client computer accesses the pix  
> only
>          via direct link ( e.g. DSL access )
>
> clientPC(rdesktop,cisco-vpnclient NAT/PAT) -> PIX -> targetserver  
> works
> clientPC(rdesktop,cisco-vpnclient NAT/PAT) -> (linux firewall,NAT) - 
> > PIX -> targetserver works NOT
>
> Since i don't know if attachments are acceptable below
> snippets i think are relevant from PIX ( addresses modified )
> Somwhere on this list i found hints regarding: isakmp nat-traversal
> Does that apply for the given situtaion ?
>
> Has anyone hints, where to look ?
>
> TIA
> Micha
>
> PIX Version 6.3(3)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside  security100
>
> access-list inside_outbound_nat0_acl permit ip any 192.168.7.96  
> 255.255.255.224
> access-list outside_cryptomap_dyn_20 permit ip any 192.168.7.96  
> 255.255.255.224
> access-list outside_cryptomap_dyn_40 permit ip any 192.168.7.96  
> 255.255.255.224
>
> ip address outside 123.45.152.168 255.255.255.192
> ip address inside 192.168.7.4 255.255.255.0
>
> ip local pool VPN 192.168.7.100-192.168.7.120
>
> global (outside) 1 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 123.45.152.129 1
>
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto dynamic-map outside_dyn_map 20 match address  
> outside_cryptomap_dyn_20
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
> crypto dynamic-map outside_dyn_map 40 match address  
> outside_cryptomap_dyn_40
> crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map client authentication LOCAL
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
>
> vpngroup VPN address-pool VPN
> vpngroup VPN dns-server 123.45.1.3 123.45.1.31
> vpngroup VPN idle-time 1800
>
> dhcpd address 192.168.7.5-192.168.7.36 inside
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> Cryptochecksum:xxx
> : end
> [OK]
>
>
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

More information about the VPN mailing list