VPN-client behind a Pix 515


from within our LAN we would like to connect to some remote destination using Cisco's VPN-client software (latest version). Our LAN uses non-routed addresses, thus the Pix (software 7.2(3)) does NAT/PAT. On the pix we have "crypto isakmp nat-traversal 20" and "sysopt connection permit-vpn". Usually after a reboot of the Pix the client is able to establish a connection and things are fine. But after a few hours things are somehow changing. Whenever the client tries to establish a connection, the password prompt appears. But soon after the password has been entered the connection closes. Thus, what could be wrong here?

Regards, Christoph Gartmann

Reply to
Christoph Gartmann
Loading thread data ...

Since you can make the connection once I'm not sure this will help, though the times that we've had customers that want to VPN back to their mothership, we've had the add the Following in out ACL_outside Access List:

access-list acl_outside extended permit gre host any access-list acl_outside extended permit esp host any

There are some remote end initiated packets that come back that need to be let in.

I thought that the "crypto isakmp nat-traversal 20" and "sysopt connection permit-vpn" were for Configuring VPN into the PIX, not out of the PIX.

I've seen on some of the Linksys/Dlink routers that will only allow one outbound VPN connection at a time. I didn't think had that issue. Though we use mostly NAT and not PAT, where as all of the Linksys/Dlink routers use PAT (even though they say its NAT)

Scott Hello,

Reply to
Scott Townsend

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.