[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 336
  • Last Modified:

PIX 501 wont allow network computers to connect to other networks with Cisco VPN Client

Hi, I am having a problem with a cisco PIX 501 locking up when connecting to an outside Cisco VPN.  Let me explain:

We have a PIX 501 at our office and about 3 of our employees connect on a daily basis to an outside Cisco VPN at one of our customers.  The customer is running an Cisco ASA (not sure of the model).  When one of us connects to the outside VPN, none of the others are able to connect.  

If the person that was connected to the VPN disconnects, no one else can use the Cisco VPN client to connect to ANY other networks.

The person that was on the VPN connection will always be able to connect to any network via Cisco VPN.

The ONLY way to fix the problem is to reload the PIX 501, and then the next person to connect to a Cisco VPN has exclusive rights to use the Cisco VPN client until the firewall is reloaded again.

Please help, this will be a big problem when we move to VOIP
0
nickkershner
Asked:
nickkershner
  • 5
  • 4
1 Solution
 
lrmooreCommented:
Try adding this to your end:

 isakmp nat-traversal 20

If that doesn't work, check with your customer to make sure their ASA is configured  for UDP/nat-traversal also.
If that doesn't work, and you don't have your 501 set up for incomming VPN, you can use fixup protocol esp-ike
0
 
nickkershnerAuthor Commented:
I added in the isakmp nat-traversal 20 line, and it did not help.  

We already had in the Fixup Protocol line in as well.

Their ASAs are configured for NAT Transversal as well.
It appears that somone here in our office made our pix a Test for coding incoming VPN Connections, could that be causing the issue?

The strange part is I can be connected to the customer with the ASA connections, and no one else in the office can connect to any of our other customers Cisco VPN's until the PIX is reloaded, so I am not really leaning on it being on the customer side.  Thanks!!!
0
 
theeterCommented:
This definitely sounds like a na-t problem as lrmoore suggested.

Everything points to the customer not having nat-t enabled on the ASA.

When you connect from your network, check your vpn client Status -> Statistics -> Transport. If nat-t is functioning then it will say Transparent Tunneling Active on UDP port 4500.

Depending on ASA version they need to add "isakmp nat-traversal" or "crypto isakmp nat-traversal".
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
nickkershnerAuthor Commented:
It says that the Transparent tunneling is inactive.  So you are saying that it is an issue on the ASA side?
the asa version is ASA5510
0
 
theeterCommented:
Yes. There are 2 possibilities.

1. Make sure on the vpn client application that you have checked "enable transparent tunneling" ipsec over udp. This is located in the client profile under the "Transport" tab.

2. If that is checked, the only other thing would be that the ASA does not have nat-t enabled. Depending on the software version, 7.0, 7.1, will be "isakmp nat-traversal", 7.2 and above will be "crypto isakmp nat-traversal".
0
 
nickkershnerAuthor Commented:
Ok, I am interested in testing this, but I just need to be ABSOLUTIY sure that if I add either of the lines you provded me that it will not interfere with any of the following:

Site to Site VPN (they have 7 tunnels)
Client to Site VPN (they have about 40 users on at a time)
I will still be able to access thier site via VPN as they do not have ANY ports open to allow me to RDP back in to remove the line of code.

THanks!!!!
0
 
nickkershnerAuthor Commented:
BTW, its 7.2
0
 
theeterCommented:
It should absolutely not effect existing users.

Have you verified the command is not in place already?
0
 
nickkershnerAuthor Commented:
I have verified that the command is not there.
0
 
theeterCommented:
Well, let us know how it goes. Removing the command would cause trouble, but adding it will not.
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now