[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 813
  • Last Modified:

AT&T VPN client does not work in a LAN however other VPN clients works in this same LAN

My network has Cisco Pix between LAN and the ISP.  Inside the LAN, users are able to use various VPN clients (Cisco, CheckPoint, Nokia) to connect to other companies.  A new VPN client is required to be used and it is an AT&T VPN client.  This AT&T VPN client does not work in this same environment.  Are there any special PIX config to be done to allow this AT&T VPN client?
0
royrubio
Asked:
royrubio
  • 7
  • 4
  • 2
5 Solutions
 
lrmooreCommented:
Have you enabled nat-traversal on your pix?

 isakmp nat-traversal 20

Do you support your own VPN tunnels/clients on the pix? If not you can enable esp-ike fixup.
0
 
WMIFCommented:
do you know anything about the AT&T client?  does it use GRE tunnels?
0
 
lrmooreCommented:
Good thought, WMIF..
Try adding this to the PIX config:
  fixup protocol pptp 1723
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
royrubioAuthor Commented:
Nat-traversal did not solve the problem.  I do not know anything about the AT&T client.  I will add the fixup and test.
0
 
lrmooreCommented:
If you have extra public IP addresses, you can try a 1-to-1 static public ip to this client..
0
 
WMIFCommented:
what version of the client is your user running?
http://support.microsoft.com/kb/925479
0
 
royrubioAuthor Commented:
Adding fixup to the PIX did not do any good.

The AT&T VPN client runs alright on the same PC if I route it through a Cisco IOS firewall.  We don't have issues with the PC and AT&T VPN client configuration.  It is the Cisco PIX that is not allowing it.

 
0
 
royrubioAuthor Commented:
I need a solution for Cisco PIX because I have a site which uses PIX only.
0
 
lrmooreCommented:
did you try a 1-1 static nat for this inside host?
static (inside,outside) <public ip> <host ip> netmask 255.255.255.255

You should not need any access list entries, but you could try adding
access-list <outside_in> permit ip host <at&t vpn endpoint> host <public ip>
0
 
royrubioAuthor Commented:
Lrmore, have not tried it yet.  Will try next week.
0
 
royrubioAuthor Commented:
Sorry, I don't have spare public IP to test.  Any more ideas other than this?
0
 
royrubioAuthor Commented:
Any more ideas please?
0
 
royrubioAuthor Commented:
This remains an open problem for me but I managed to route traffic to an IOS firewall instead of the Pix.  I'm closing this query for now.  I'm splitting points to those who tried to help:  300 for lrmoore and 200 for wmif.  Thanks for your help.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now