VPN-client behind a Pix 515

- C
- Christoph Gartmann
  
  Contact options for registered users
posted
15 years ago

Wed, Apr 2, 2008 2:04 PM

Hello,

from within our LAN we would like to connect to some remote destination using Cisco's VPN-client software (latest version). Our LAN uses non-routed addresses, thus the Pix (software 7.2(3)) does NAT/PAT. On the pix we have "crypto isakmp nat-traversal 20" and "sysopt connection permit-vpn". Usually after a reboot of the Pix the client is able to establish a connection and things are fine. But after a few hours things are somehow changing. Whenever the client tries to establish a connection, the password prompt appears. But soon after the password has been entered the connection closes. Thus, what could be wrong here?

Regards, Christoph Gartmann

Loading thread data ...

- S
- Scott Townsend
  
  Contact options for registered users
posted
15 years ago

Wed, Apr 2, 2008 4:15 PM

Since you can make the connection once I'm not sure this will help, though the times that we've had customers that want to VPN back to their mothership, we've had the add the Following in out ACL_outside Access List:

access-list acl_outside extended permit gre host any access-list acl_outside extended permit esp host any

There are some remote end initiated packets that come back that need to be let in.

I thought that the "crypto isakmp nat-traversal 20" and "sysopt connection permit-vpn" were for Configuring VPN into the PIX, not out of the PIX.

I've seen on some of the Linksys/Dlink routers that will only allow one outbound VPN connection at a time. I didn't think had that issue. Though we use mostly NAT and not PAT, where as all of the Linksys/Dlink routers use PAT (even though they say its NAT)

Scott Hello,

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.