How to allow all IP traffic to and from an external IP address

I have a Cisco PIX 515 in place and a T1 internet connection.
We are trying to access a client's VPN network and when behind the PIX, we can connect but cannot do anything on their network.
When I place the computer on the outside of the PIX, it connects to the VPN and functions perfectly.

What needs to be done to allow this connection to a set external IP address?
WPC479Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

willbaclimonCommented:
Depends the name of the interface

access-list outside permit tcp host 1.1.1.1 host 192.168.1.1 eq www

Thats just an example
0
danf0xCommented:
it could also be that you need no nat statements as that may be what is happening when you are behind the pix.
0
3nerdsCommented:
Do you have the following in your PIX:

fixup protocol esp-ike


Regards,

3nerds
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

WPC479Author Commented:
3nerds,  no I don't have that line.
What is that command for?
0
danf0xCommented:
it enables outbound ipsec traffic.
0
3nerdsCommented:
It will allow the pix to better itranslate that protocol passing through the device and should fix your problem.

Good Luck,

3nerds
0
WPC479Author Commented:
I will add that fixup line and try.

Before doing anything, I will mention this, we can connect with the Cisco VPN client to the remote site, and the remote admin claims our outbound traffic reaches them, but anything inbound to us is stopped.
0
WPC479Author Commented:
fixup protocol esp-ike doesn't work because I have ISAKMP enabled.
I will cleanup my config file and drop it here.
0
danf0xCommented:
enable isakmp nat-traversal and give it a try.  I don't think the pix likes the fixup and isakmp together
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
3nerdsCommented:
You have a site to site VPN and are now trying to do a Client vpn out through your pix?

If that is correct try what danf0x suggested, I do recall a bug/limitation with a pix and what you are trying to accomplish. I believe the limitation was fixed in the ASA.

Good Luck,

3nerds
0
WPC479Author Commented:
I enabled isakmp nat-traversal and same problem.  Below is the log from our internal client.  I just realized he is using a Mac laptop client, if it matters.  He is able to connect to the external VPN when he has his Mac laptop at home on his home network.
Sorry for the long log.
>>>>


Cisco Systems VPN Client Version 4.9.01 (0080)
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Mac OS X
Running on: Darwin 9.7.0 Darwin Kernel Version 9.7.0: Tue Mar 31 22:52:17 PDT 2009; root:xnu-1228.12.14~1/RELEASE_I386 i386
Config file directory: /etc/opt/cisco-vpnclient

1      16:22:30.698  05/28/2009  Sev=Info/4      CM/0x43100002
Begin connection process

2      16:22:30.699  05/28/2009  Sev=Warning/2      CVPND/0x83400011
Error -28 sending packet. Dst Addr: 0xC0A8E1FF, Src Addr: 0xC0A8E101 (DRVIFACE:1158).

3      16:22:30.699  05/28/2009  Sev=Warning/2      CVPND/0x83400011
Error -28 sending packet. Dst Addr: 0xC0A84CFF, Src Addr: 0xC0A84C01 (DRVIFACE:1158).

4      16:22:30.699  05/28/2009  Sev=Info/4      CM/0x43100004
Establish secure connection using Ethernet

5      16:22:30.699  05/28/2009  Sev=Info/4      CM/0x43100024
Attempt connection with server "abc.clientname.com"

6      16:22:30.749  05/28/2009  Sev=Info/4      CVPND/0x43400019
Privilege Separation: binding to port: (500).

7      16:22:30.749  05/28/2009  Sev=Info/4      CVPND/0x43400019
Privilege Separation: binding to port: (4500).

8      16:22:30.749  05/28/2009  Sev=Info/6      IKE/0x4300003B
Attempting to establish a connection with aaa.bbb.ccc.ddd.

9      16:22:30.826  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Unity)) to aaa.bbb.ccc.ddd

10     16:22:30.878  05/28/2009  Sev=Info/4      IPSEC/0x43700008
IPSec driver successfully started

11     16:22:30.878  05/28/2009  Sev=Info/4      IPSEC/0x43700014
Deleted all keys

12     16:22:30.878  05/28/2009  Sev=Info/6      IPSEC/0x4370002C
Sent 113 packets, 0 were fragmented.

13     16:22:31.145  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

14     16:22:31.145  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?), VID(?)) from aaa.bbb.ccc.ddd

15     16:22:31.145  05/28/2009  Sev=Info/5      IKE/0x43000001
Peer is a Cisco-Unity compliant peer

16     16:22:31.145  05/28/2009  Sev=Info/5      IKE/0x43000001
Peer supports XAUTH

17     16:22:31.145  05/28/2009  Sev=Info/5      IKE/0x43000001
Peer supports DPD

18     16:22:31.145  05/28/2009  Sev=Info/5      IKE/0x43000001
Peer supports DWR Code and DWR Text

19     16:22:31.225  05/28/2009  Sev=Info/6      IKE/0x43000001
IOS Vendor ID Contruction successful

20     16:22:31.225  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to aaa.bbb.ccc.ddd

21     16:22:31.225  05/28/2009  Sev=Info/4      IKE/0x43000083
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4

22     16:22:31.225  05/28/2009  Sev=Info/4      CM/0x4310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

23     16:22:31.367  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

24     16:22:31.367  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from aaa.bbb.ccc.ddd

25     16:22:31.367  05/28/2009  Sev=Info/4      CM/0x43100015
Launch xAuth application

26     16:22:37.603  05/28/2009  Sev=Info/4      CM/0x43100017
xAuth application returned

27     16:22:37.603  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to aaa.bbb.ccc.ddd

28     16:22:40.512  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

29     16:22:40.513  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from aaa.bbb.ccc.ddd

30     16:22:40.513  05/28/2009  Sev=Info/4      CM/0x43100015
Launch xAuth application

31     16:22:47.451  05/28/2009  Sev=Info/4      CM/0x43100017
xAuth application returned

32     16:22:47.452  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to aaa.bbb.ccc.ddd

33     16:22:54.859  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

34     16:22:54.860  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from aaa.bbb.ccc.ddd

35     16:22:54.860  05/28/2009  Sev=Info/4      CM/0x43100015
Launch xAuth application

36     16:23:11.388  05/28/2009  Sev=Info/4      CM/0x43100017
xAuth application returned

37     16:23:11.388  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to aaa.bbb.ccc.ddd

38     16:23:18.393  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

39     16:23:18.393  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from aaa.bbb.ccc.ddd

40     16:23:18.393  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to aaa.bbb.ccc.ddd

41     16:23:18.393  05/28/2009  Sev=Info/4      IKE/0x43000017
Marking IKE SA for deletion  (I_Cookie=FF77BA907A32E01A R_Cookie=67BF2999BB992DBD) reason = DEL_REASON_WE_FAILED_AUTH

42     16:23:18.393  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to aaa.bbb.ccc.ddd

43     16:23:19.378  05/28/2009  Sev=Info/4      IKE/0x4300004B
Discarding IKE SA negotiation (I_Cookie=FF77BA907A32E01A R_Cookie=67BF2999BB992DBD) reason = DEL_REASON_WE_FAILED_AUTH

44     16:23:19.379  05/28/2009  Sev=Info/4      CM/0x43100014
Unable to establish Phase 1 SA with server "abc.clientname.com" because of "DEL_REASON_WE_FAILED_AUTH"

45     16:23:19.379  05/28/2009  Sev=Info/5      CM/0x43100025
Initializing CVPNDrv

46     16:23:19.379  05/28/2009  Sev=Info/4      CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.

47     16:23:19.379  05/28/2009  Sev=Info/4      IKE/0x43000001
IKE received signal to terminate VPN connection

48     16:23:19.380  05/28/2009  Sev=Info/4      IPSEC/0x43700014
Deleted all keys

49     16:23:19.380  05/28/2009  Sev=Info/4      IPSEC/0x43700014
Deleted all keys

50     16:23:19.380  05/28/2009  Sev=Info/4      IPSEC/0x43700014
Deleted all keys

51     16:23:19.380  05/28/2009  Sev=Info/4      IPSEC/0x4370000A
IPSec driver successfully stopped

52     16:23:40.020  05/28/2009  Sev=Info/4      CM/0x43100002
Begin connection process

53     16:23:40.020  05/28/2009  Sev=Warning/2      CVPND/0x83400011
Error -28 sending packet. Dst Addr: 0xC0A8E1FF, Src Addr: 0xC0A8E101 (DRVIFACE:1158).

54     16:23:40.020  05/28/2009  Sev=Warning/2      CVPND/0x83400011
Error -28 sending packet. Dst Addr: 0xC0A84CFF, Src Addr: 0xC0A84C01 (DRVIFACE:1158).

55     16:23:40.023  05/28/2009  Sev=Info/4      CM/0x43100004
Establish secure connection using Ethernet

56     16:23:40.023  05/28/2009  Sev=Info/4      CM/0x43100024
Attempt connection with server "abc.clientname.com"

57     16:23:40.023  05/28/2009  Sev=Info/4      CVPND/0x43400019
Privilege Separation: binding to port: (500).

58     16:23:40.024  05/28/2009  Sev=Info/4      CVPND/0x43400019
Privilege Separation: binding to port: (4500).

59     16:23:40.024  05/28/2009  Sev=Info/6      IKE/0x4300003B
Attempting to establish a connection with aaa.bbb.ccc.ddd.

60     16:23:40.116  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Unity)) to aaa.bbb.ccc.ddd

61     16:23:40.507  05/28/2009  Sev=Info/4      IPSEC/0x43700008
IPSec driver successfully started

62     16:23:40.507  05/28/2009  Sev=Info/4      IPSEC/0x43700014
Deleted all keys

63     16:23:40.507  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

64     16:23:40.508  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Frag), VID(?), VID(?)) from aaa.bbb.ccc.ddd

65     16:23:40.508  05/28/2009  Sev=Info/5      IKE/0x43000001
Peer is a Cisco-Unity compliant peer

66     16:23:40.508  05/28/2009  Sev=Info/5      IKE/0x43000001
Peer supports XAUTH

67     16:23:40.508  05/28/2009  Sev=Info/5      IKE/0x43000001
Peer supports DPD

68     16:23:40.508  05/28/2009  Sev=Info/5      IKE/0x43000001
Peer supports DWR Code and DWR Text

69     16:23:40.620  05/28/2009  Sev=Info/6      IKE/0x43000001
IOS Vendor ID Contruction successful

70     16:23:40.620  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to aaa.bbb.ccc.ddd

71     16:23:40.620  05/28/2009  Sev=Info/4      IKE/0x43000083
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4

72     16:23:40.620  05/28/2009  Sev=Info/4      CM/0x4310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

73     16:23:40.720  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

74     16:23:40.720  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from aaa.bbb.ccc.ddd

75     16:23:40.721  05/28/2009  Sev=Info/4      CM/0x43100015
Launch xAuth application

76     16:23:49.396  05/28/2009  Sev=Info/4      CM/0x43100017
xAuth application returned

77     16:23:49.396  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to aaa.bbb.ccc.ddd

78     16:23:56.403  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

79     16:23:56.403  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from aaa.bbb.ccc.ddd

80     16:23:56.403  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to aaa.bbb.ccc.ddd

81     16:23:56.403  05/28/2009  Sev=Info/4      CM/0x4310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

82     16:23:56.404  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to aaa.bbb.ccc.ddd

83     16:23:56.531  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

84     16:23:56.531  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from aaa.bbb.ccc.ddd

85     16:23:56.531  05/28/2009  Sev=Info/5      IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.131.162.95

86     16:23:56.531  05/28/2009  Sev=Info/5      IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.254.0

87     16:23:56.531  05/28/2009  Sev=Info/5      IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 10.130.3.250

88     16:23:56.531  05/28/2009  Sev=Info/5      IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 10.130.3.254

89     16:23:56.531  05/28/2009  Sev=Info/5      IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 10.130.3.238

90     16:23:56.531  05/28/2009  Sev=Info/5      IKE/0x43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(2) (a.k.a. WINS) : , value = 10.1.20.221

91     16:23:56.531  05/28/2009  Sev=Info/5      IKE/0x4300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_BANNER, value = This equipment is the property of ClientNAME. and is intended for use by employees and authorized agents of ClientNAME. in accordance with its stated policies.  Unauthorized access or use of this system, or use in excess of that which is authorized, may subject you to disciplinary action and possible civil or criminal prosecution.

92     16:23:56.531  05/28/2009  Sev=Info/5      IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

93     16:23:56.531  05/28/2009  Sev=Info/5      IKE/0x4300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = ClientNAME.com

94     16:23:56.531  05/28/2009  Sev=Info/5      IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

95     16:23:56.531  05/28/2009  Sev=Info/5      IKE/0x4300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.1.Rel built by NAME on Jun 01 2005 02:16:46

96     16:23:56.531  05/28/2009  Sev=Info/4      CVPND/0x43400018
Privilege Separation: opening file: (/etc/opt/cisco-vpnclient/Profiles/Everyone.pcf).

97     16:23:56.532  05/28/2009  Sev=Info/4      CM/0x43100019
Mode Config data received

98     16:23:56.533  05/28/2009  Sev=Info/4      IKE/0x43000056
Received a key request from Driver: Local IP = 192.168.7.160, GW IP = aaa.bbb.ccc.ddd, Remote IP = 0.0.0.0

99     16:23:56.533  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to aaa.bbb.ccc.ddd

100    16:23:56.660  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

101    16:23:56.660  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from aaa.bbb.ccc.ddd

102    16:23:56.660  05/28/2009  Sev=Info/5      IKE/0x43000045
RESPONDER-LIFETIME notify has value of 86400 seconds

103    16:23:56.660  05/28/2009  Sev=Info/5      IKE/0x43000047
This SA has already been alive for 16 seconds, setting expiry to 86384 seconds from now

104    16:23:56.660  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

105    16:23:56.660  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from aaa.bbb.ccc.ddd

106    16:23:56.660  05/28/2009  Sev=Info/5      IKE/0x43000045
RESPONDER-LIFETIME notify has value of 28800 seconds

107    16:23:56.660  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK QM *(HASH) to aaa.bbb.ccc.ddd

108    16:23:56.660  05/28/2009  Sev=Info/5      IKE/0x43000059
Loading IPsec SA (MsgID=15B5349D OUTBOUND SPI = 0x6DEE5D93 INBOUND SPI = 0xDD60B3D9)

109    16:23:56.661  05/28/2009  Sev=Info/5      IKE/0x43000025
Loaded OUTBOUND ESP SPI: 0x6DEE5D93

110    16:23:56.661  05/28/2009  Sev=Info/5      IKE/0x43000026
Loaded INBOUND ESP SPI: 0xDD60B3D9

111    16:23:56.661  05/28/2009  Sev=Info/4      CM/0x4310001A
One secure connection established

112    16:23:56.661  05/28/2009  Sev=Info/4      CVPND/0x4340001E
Privilege Separation: reducing MTU on primary interface.

113    16:23:56.662  05/28/2009  Sev=Info/4      CVPND/0x4340001B
Privilege Separation: backing up resolv.conf file.

114    16:23:56.716  05/28/2009  Sev=Info/4      CVPND/0x4340001D
Privilege Separation: chown( /var/run/resolv.conf.vpnbackup, uid=0, gid=1 ).

115    16:23:56.717  05/28/2009  Sev=Info/4      CVPND/0x43400018
Privilege Separation: opening file: (/var/run/resolv.conf).

116    16:23:56.722  05/28/2009  Sev=Info/4      CM/0x4310003B
Address watch added for 192.168.7.160.  Current hostname: MacBook-Pro.local, Current address(es): 192.168.7.160, 192.168.225.1, 192.168.76.1.

117    16:23:57.021  05/28/2009  Sev=Info/4      IPSEC/0x43700014
Deleted all keys

118    16:23:57.021  05/28/2009  Sev=Info/4      IPSEC/0x43700010
Created a new key structure

119    16:23:57.021  05/28/2009  Sev=Info/4      IPSEC/0x4370000F
Added key with SPI=0x935dee6d into key list

120    16:23:57.021  05/28/2009  Sev=Info/4      IPSEC/0x43700010
Created a new key structure

121    16:23:57.021  05/28/2009  Sev=Info/4      IPSEC/0x4370000F
Added key with SPI=0xd9b360dd into key list

122    16:24:07.380  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to aaa.bbb.ccc.ddd

123    16:24:07.380  05/28/2009  Sev=Info/6      IKE/0x4300003D
Sending DPD request to aaa.bbb.ccc.ddd, our seq# = 699723002

124    16:24:07.495  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

125    16:24:07.495  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from aaa.bbb.ccc.ddd

126    16:24:07.495  05/28/2009  Sev=Info/5      IKE/0x43000040
Received DPD ACK from aaa.bbb.ccc.ddd, seq# received = 699723002, seq# expected = 699723002

127    16:24:17.880  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to aaa.bbb.ccc.ddd

128    16:24:17.880  05/28/2009  Sev=Info/6      IKE/0x4300003D
Sending DPD request to aaa.bbb.ccc.ddd, our seq# = 699723003

129    16:24:17.984  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

130    16:24:17.984  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from aaa.bbb.ccc.ddd

131    16:24:17.984  05/28/2009  Sev=Info/5      IKE/0x43000040
Received DPD ACK from aaa.bbb.ccc.ddd, seq# received = 699723003, seq# expected = 699723003

132    16:24:28.380  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to aaa.bbb.ccc.ddd

133    16:24:28.380  05/28/2009  Sev=Info/6      IKE/0x4300003D
Sending DPD request to aaa.bbb.ccc.ddd, our seq# = 699723004

134    16:24:28.482  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

135    16:24:28.482  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from aaa.bbb.ccc.ddd

136    16:24:28.482  05/28/2009  Sev=Info/5      IKE/0x43000040
Received DPD ACK from aaa.bbb.ccc.ddd, seq# received = 699723004, seq# expected = 699723004

137    16:24:38.880  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to aaa.bbb.ccc.ddd

138    16:24:38.880  05/28/2009  Sev=Info/6      IKE/0x4300003D
Sending DPD request to aaa.bbb.ccc.ddd, our seq# = 699723005

139    16:24:38.991  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

140    16:24:38.991  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from aaa.bbb.ccc.ddd

141    16:24:38.991  05/28/2009  Sev=Info/5      IKE/0x43000040
Received DPD ACK from aaa.bbb.ccc.ddd, seq# received = 699723005, seq# expected = 699723005

142    16:24:49.380  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to aaa.bbb.ccc.ddd

143    16:24:49.380  05/28/2009  Sev=Info/6      IKE/0x4300003D
Sending DPD request to aaa.bbb.ccc.ddd, our seq# = 699723006

144    16:24:49.488  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

145    16:24:49.488  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from aaa.bbb.ccc.ddd

146    16:24:49.489  05/28/2009  Sev=Info/5      IKE/0x43000040
Received DPD ACK from aaa.bbb.ccc.ddd, seq# received = 699723006, seq# expected = 699723006

147    16:24:59.880  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to aaa.bbb.ccc.ddd

148    16:24:59.881  05/28/2009  Sev=Info/6      IKE/0x4300003D
Sending DPD request to aaa.bbb.ccc.ddd, our seq# = 699723007

149    16:24:59.998  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

150    16:24:59.998  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from aaa.bbb.ccc.ddd

151    16:24:59.998  05/28/2009  Sev=Info/5      IKE/0x43000040
Received DPD ACK from aaa.bbb.ccc.ddd, seq# received = 699723007, seq# expected = 699723007

152    16:25:10.881  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to aaa.bbb.ccc.ddd

153    16:25:10.881  05/28/2009  Sev=Info/6      IKE/0x4300003D
Sending DPD request to aaa.bbb.ccc.ddd, our seq# = 699723008

154    16:25:15.881  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to aaa.bbb.ccc.ddd

155    16:25:15.881  05/28/2009  Sev=Info/6      IKE/0x4300003D
Sending DPD request to aaa.bbb.ccc.ddd, our seq# = 699723009

156    16:25:16.002  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

157    16:25:16.002  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from aaa.bbb.ccc.ddd

158    16:25:16.002  05/28/2009  Sev=Info/5      IKE/0x43000040
Received DPD ACK from aaa.bbb.ccc.ddd, seq# received = 699723009, seq# expected = 699723009

159    16:25:26.381  05/28/2009  Sev=Info/4      IKE/0x43000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to aaa.bbb.ccc.ddd

160    16:25:26.381  05/28/2009  Sev=Info/6      IKE/0x4300003D
Sending DPD request to aaa.bbb.ccc.ddd, our seq# = 699723010

161    16:25:26.482  05/28/2009  Sev=Info/5      IKE/0x4300002F
Received ISAKMP packet: peer = aaa.bbb.ccc.ddd

162    16:25:26.482  05/28/2009  Sev=Info/4      IKE/0x43000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from aaa.bbb.ccc.ddd

163    16:25:26.482  05/28/2009  Sev=Info/5      IKE/0x43000040
Received DPD ACK from aaa.bbb.ccc.ddd, seq# received = 699723010, seq# expected = 699723010
0
3nerdsCommented:
Ok daf0x is 100% right on the fix, the only thing is you need to make sure that the other end have nat-t enabled also. Whoever you are connecting to has to have it enable on their pix/firewall other wise you will never fix it on your end.

Also make sure in the cisco vpn client under the profile you are using to connect. On the transport tab make sure the check mark is there to enable Transparent Tunneling. Also make sure the IPSEC over UDP is selected.

Once you connect with the vpn right click the icon and select statistics. Under transport what does it say?

Good Luck,

3nerds
0
WPC479Author Commented:
thanks guys.  I enabled nat-traversal on my side and the options on the client I checked the box to enable Transp. tunneling.  and doing both it worked.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.