nickkershner
asked on
PIX 501 wont allow network computers to connect to other networks with Cisco VPN Client
Hi, I am having a problem with a cisco PIX 501 locking up when connecting to an outside Cisco VPN. Let me explain:
We have a PIX 501 at our office and about 3 of our employees connect on a daily basis to an outside Cisco VPN at one of our customers. The customer is running an Cisco ASA (not sure of the model). When one of us connects to the outside VPN, none of the others are able to connect.
If the person that was connected to the VPN disconnects, no one else can use the Cisco VPN client to connect to ANY other networks.
The person that was on the VPN connection will always be able to connect to any network via Cisco VPN.
The ONLY way to fix the problem is to reload the PIX 501, and then the next person to connect to a Cisco VPN has exclusive rights to use the Cisco VPN client until the firewall is reloaded again.
Please help, this will be a big problem when we move to VOIP
We have a PIX 501 at our office and about 3 of our employees connect on a daily basis to an outside Cisco VPN at one of our customers. The customer is running an Cisco ASA (not sure of the model). When one of us connects to the outside VPN, none of the others are able to connect.
If the person that was connected to the VPN disconnects, no one else can use the Cisco VPN client to connect to ANY other networks.
The person that was on the VPN connection will always be able to connect to any network via Cisco VPN.
The ONLY way to fix the problem is to reload the PIX 501, and then the next person to connect to a Cisco VPN has exclusive rights to use the Cisco VPN client until the firewall is reloaded again.
Please help, this will be a big problem when we move to VOIP
ASKER
I added in the isakmp nat-traversal 20 line, and it did not help.
We already had in the Fixup Protocol line in as well.
Their ASAs are configured for NAT Transversal as well.
It appears that somone here in our office made our pix a Test for coding incoming VPN Connections, could that be causing the issue?
The strange part is I can be connected to the customer with the ASA connections, and no one else in the office can connect to any of our other customers Cisco VPN's until the PIX is reloaded, so I am not really leaning on it being on the customer side. Thanks!!!
We already had in the Fixup Protocol line in as well.
Their ASAs are configured for NAT Transversal as well.
It appears that somone here in our office made our pix a Test for coding incoming VPN Connections, could that be causing the issue?
The strange part is I can be connected to the customer with the ASA connections, and no one else in the office can connect to any of our other customers Cisco VPN's until the PIX is reloaded, so I am not really leaning on it being on the customer side. Thanks!!!
This definitely sounds like a na-t problem as lrmoore suggested.
Everything points to the customer not having nat-t enabled on the ASA.
When you connect from your network, check your vpn client Status -> Statistics -> Transport. If nat-t is functioning then it will say Transparent Tunneling Active on UDP port 4500.
Depending on ASA version they need to add "isakmp nat-traversal" or "crypto isakmp nat-traversal".
Everything points to the customer not having nat-t enabled on the ASA.
When you connect from your network, check your vpn client Status -> Statistics -> Transport. If nat-t is functioning then it will say Transparent Tunneling Active on UDP port 4500.
Depending on ASA version they need to add "isakmp nat-traversal" or "crypto isakmp nat-traversal".
ASKER
It says that the Transparent tunneling is inactive. So you are saying that it is an issue on the ASA side?
the asa version is ASA5510
the asa version is ASA5510
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I am interested in testing this, but I just need to be ABSOLUTIY sure that if I add either of the lines you provded me that it will not interfere with any of the following:
Site to Site VPN (they have 7 tunnels)
Client to Site VPN (they have about 40 users on at a time)
I will still be able to access thier site via VPN as they do not have ANY ports open to allow me to RDP back in to remove the line of code.
THanks!!!!
Site to Site VPN (they have 7 tunnels)
Client to Site VPN (they have about 40 users on at a time)
I will still be able to access thier site via VPN as they do not have ANY ports open to allow me to RDP back in to remove the line of code.
THanks!!!!
ASKER
BTW, its 7.2
It should absolutely not effect existing users.
Have you verified the command is not in place already?
Have you verified the command is not in place already?
ASKER
I have verified that the command is not there.
Well, let us know how it goes. Removing the command would cause trouble, but adding it will not.
isakmp nat-traversal 20
If that doesn't work, check with your customer to make sure their ASA is configured for UDP/nat-traversal also.
If that doesn't work, and you don't have your 501 set up for incomming VPN, you can use fixup protocol esp-ike