VPN on PIX can't work with vpn client behind nat

My network look's like this :


I try to create to vpn tunel from one computer on LAN to comp_VPN_CLIENT and use PIX as vpn serwer . When I try to connect from public ip without SERVER(linux), and my network look's like this : LAN PIX(VPN)INTERNETcomp_VPN_CLIENT ewerything is good, I can connect to host without any problems.

, it's my config :

access-list vpn permit ip

ip local pool ePoll

nat (inside) 0 access-list vpn sysopt connection permit-ipsec

crypto ipsec transform-set transSetE esp-aes-256 esp-sha-hmac

crypto dynamic-map dynMapE 20 set transform-set transSetE

crypto map mapaE 20 ipsec-isakmp dynamic dynMapE crypto map mapaE interface outside

isakmp identity address

isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes-256 isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400

vpngroup e address-pool ePoll vpngroup e dns-server A.B.C.D vpngroup e default-domain domain.pl vpngroup e split-tunnel vpn vpngroup e idle-time 1800 vpngroup e password *****

what is wrong , or I forgot?

Sory for my english :)

Reply to
Loading thread data ...

you need to split your ACL vpn. you cannot have the same acl for NAT 0 statement, and also use it for split-tunnel. Also you are missing the "isakmp nat-traversal" command.

Reply to

In article , snipped-for-privacy@bellsouth.net wrote: :you need to split your ACL vpn. you cannot have the same acl for NAT 0 :statement, and also use it for split-tunnel.

Although it is usually a bad idea to use the same ACL for two purposes, it is considered to be valid as long as one of the purposes is not as an access-group . There are known bugs in some versions with sharing a nat 0 access-list with a crypto map access-list, but I'm not -aware- of any restriction on sharing nat 0 access-list with a split-tunnel usage. Would you have a citation or bug number for this restriction?

:Also you are missing the "isakmp nat-traversal" command.

If the OP's version supports that. Unfortunately the OP did not say which software version is involved.

With the information we have been given, we can't be sure that the Linux system is forwarding packets at all, or that it is forwarding all necessary protocols. I would ask the OP: if you turn off the VPN client, and if you configure the PIX with the 'icmp' command to accept echo on the outside interface, then can you ping through to the remote PIX through the Linux system? In other words, isolate whether the packets are getting through at all.

Reply to
Walter Roberson

It's ok , I cam ping linux from lan behind PIX. I use isakmp nat-traversal But still I can't connect to host How shuld I split ACL. I read some materials from cisco www and it is wrote to do it in this way (nat 0 and split-tunnel use one ACL)

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.