Cisco VPN Client to PIX not Passing Traffic

posted 14 Jun 2011, 11:21 by Tristan Self
Tried to connect up to a pix using a Cisco VPN Client, the connection connected fine, but when I tried to VNC or RDC to something had no joy. Checking the statistics of the vpn connection on my pc it showed sending traffic but not getting anything back.

This is caused by a problem with NAT-Traversal.

My VPN Connection was saying transparent tunneling "disabled" even though it is set to be active I was expecting it to say: "Active on UDP Port 4500"

To resolve this you need to make sure that Nat Transversal is eanabled on the PIX.

I'm not sure if everyone is trying to connect to a Cisco PIX firewall or Cisco Concentrator. Two different solutions, but I will assume a PIX firewall. Rather than dealing with Linksys, Netgear, or versions of code, it might be easier to configure the Cisco PIX firewall to provide a better VPN solution. Make sure the PIX is running version 6.3 or later and configure it NAT traversal (which is not on by default):

isakmp nat-traversal

Then on the client make sure Transparent Tunneling is enabled for UDP. Not TCP, the PIX doesn't understand TCP Transparent Tunneling (only the Cisco Concentrator does). The nat-traversal command allows ESP packets to pass throught a NAT device. You know when ESP packets are not being passed when you can make a VPN connection but nothing works.

This should sort out the problem, oh and a typical timeout time would be 20 seconds if you need that.
Comments