1. Home
  2. Virtual Private Networks
  3. Router2Pix tunnel and VPN Client at the same time

Router2Pix tunnel and VPN Client at the same time

Hi.

I have set up a tunnel between my router at home, and a PIX 515 at work, and have several thin clients (Wyse) connect to a terminal server

at work. This all works fine. Now I use my laptop, also from home, and a Cisco VPN client to connect to another PIX (customer), and that also works fine, but after I have connected using the VPN client, the tunnel

to work don't work any more. The tunnel is not down (still connected at

both ends) but the thin clients can't get any traffic through. Manually

taking the tunnel down and creating it again does not help, the only way is to reset the router. I thought that when IPSEC Pass Through was enabled on the router the VPN Client just passed through that, and didn't conflict with the Router2Pix tunnel, but I guess I'm wrong. I have tried with different VPN routers (D-link, Linksys, etc.) but they all have the same problem.

Any help or experience would be greatly appreciated. Jorgen D.

Reply to
jdk
Loading thread data ...

Hi Jorgen,

You must configure NAT Transparency on the PIX.

The IPSec NAT Transparency feature introduces support for IPSec traffic to travel through NAT or Point Address Translation ( PAT ) points in the network by addressing many known incompatabilites between NAT and IPSec.

NAT Transparency uses User Datagram Protocol ( UDP ) port 4500 to encapsulate IPSec packets.

By default, PIX drops all inbound connections coming from the outside.

You must open this port for NAT Transparency to work.

Issue this command:

Pix#config t Pix(config)#isakmp nat-traversal

IPSec NAT Transparency:

formatting link
NAT Traversal is a feature that is auto-detected by VPN devices.

There are no configuration steps for a router that runs Cisco IOS=AE Software Release 12.2(13)T and later.

If both VPN devices are NAT Transparency capable, NAT Traversal is auto-detected and auto-negotiated.

Hope this helps.

Brad Reese BradReese.Com - Cisco Network Engineer Directory

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA & Canada: 877-549-2680 International: 828-277-7272 Fax: 775-254-3558 AIM: R2MGrant=20 Website:
formatting link

Reply to
BradReese.Com=A

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.