ISAKMP nat - t

For statement: isakmp nat - t

What is it, or in what circumstances, should it be used?

Thank you for helping.

Scott

the command "isakmp nat-traversal" should be applied to the vpn server when the vpn client is behind a nat/pat device.

the reason being nat/pat on the client side will result in the ip original source to the IP (public) own peripheral nat/pat. When the vpn server receives, decrypts, and analysis package, it's going to come back with a mistake as the original source ip does not correspond to the

for example

Remote vpn client implements a remote vpn router and the client remote vpn is behind a nat/pat device, such as a router or pix.

Tags: Cisco Security

Similar Questions

ASA 5505 - crypto isakmp nat-traversal is missing?

I can't understand it. I have an ASA5505 at home that I use for VPN access. Sometimes when I connect I can't ping anything. I check the config and it shows:

No encryption isakmp nat-traversal

I have configured "crypto isakmp nat-traversal" so many times before, and somehow it is still deleted. Seems to happen at random, as well as when the device is restarted. (Yes, the config has been saved). I would say that what is happening at least 2 - 3 times a week.

Any ideas? I am running the 8.0.2 version code.

This is a bug. Set the value on something other than the default value of 20. This will fix the problem.

Cryto isakmp nat-traversal 21

"no nat-traversal crypto isakmp" after restart

Hello

With the version of the Software ASA 8.0, we noticed that whenever restart us tha device, the configuration line:

No encryption isakmp nat-traversal

appears in the configuration.

It is very annoying, because this NAT - T obviously does not work.

Any of you noticed that too?

Ideas?

Thank you very much.

Marco Pizzi.

Hi Marco,.

This is a bug in the version of the ASA 8.x software and there are workarounds:

CSCsj52581 Details of bug

No inconsistent configuration of nat-traversal isakmp crypto after reboot

Symptom:

After a restart of the ASA at the global order "no isakmp encryption".

NAT-traversal.

appears in the running-config even it is not available in the

startup-config.

Conditions:

None

Steps to reproduce:

BSNs-ASA5505-1 (config) # nat-traversal crypto isakmp

BSNs-ASA5505-1 (config) # copy run start

BSNs-ASA5505-1 (config) # sh run all | NAT Inc

Crypto isakmp nat-traversal 20

BSNs-ASA5505-1 (config) # sh start | NAT Inc

BSNs-ASA5505-1 (config) #.

After reloading of the ASA:

BSNs-asa5505-1 # sh run all | NAT Inc

No encryption isakmp nat-traversal

BSNs-asa5505-1 # sh start | NAT Inc

asa5505-BSNs-1 #.

Workaround solution:

(1) use a default value, for example, "crypto isakmp nat-traversal 21.

(2) to activate the "crypto isakmp nat-traversal" after the restart of the ASA if you

You can use the default value. The default value is: crypto isakmp

NAT-traversal 20

Radim

multiple clients behind a NAT IPSec

In our head office, I have a Pix 515e which acts as our VPN server.

Several clients at a remote office are requiring VPN access to the corporate network, but can only connect at once. If a second connects the premiera is abandoned.

I suspect that this is because they are sitting behind a Natted router and all share the same public address.

When I was installing all first the VPNGroups I read an article that has discussed this problem and offered a solution, but I can't seem to locate it. Is this possible on a 6.3 (4) Version FOS Pix

Denny,

Sounds to me that you must enable (on your PIX, config mode):

> isakmp nat-traversal

Let me know if this helps and if she please post rates as if you need an explanation on the NAT - T then let me know.

Jay

Site to Site VPN Possible behind routers NAT on both ends?

Nice day

After extensive research I have not found an answer so I turn to the community.

I'm trying to help a friend facility a VPN but it's a scenario that I have not dealt and hope that someone has.

Here's the basic scheme;

Site 1 - 172.16.23.0/24

Site 2 - 172.16.24.0/24

(Site of ASA 1 - router 172.16.23.5) - Linksys w / static public IP - Internet - Linksys router w / static public IP-(ASA Site 2 - 172.16.24.5)

Is this possible scenario with port forwarding? The warnings, I need to watch out for?

I read that I'll need a route to my ASA, say Site 1 ASA, who said... Route 172.16.24.0 255.255.255.0 1.1.1.1 (point to ASA local public IP).

I also read I'll need one additional lane in my (site 1) linksys router that says... Route 172.16.24.0 255.255.255.0 172.16.23.5 (point to the local interface of the ASA)

Thanks for all comments and suggestions.

A

Hi Adam,.

You are right with a port forwarding, you can create an IPSEC tunnel, even if NAT is present on both ends.

Also, NAT - T is a feature enabled by default on the ASA that automatically detects if the camera is behind a NAT and pass the IPSEC UDP 4500 port. Here is the syntax of the command:

ASA (config) # crypto isakmp nat-traversal 20

How NAT - T works

So, here is a document for your reference build the VPN tunnel:

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/119141-configure-ASA-00.html

About routing, all traffic will go out of the ASA using intellectual property where the card encryption is applied, routing on linkysys devices just take care that this IP is routed Internet and that there is connection between the 2 ASAs.

It may be useful

-Randy-

Configuration VPN - NAT - T support

Hello

A partner of business (BP) has the following requirements. I don't know which statements of config I need to use to ensure this successful connection

Business (BP) needs partner complete the VPN tunnel on a firewall that is behind another firewall running NAT

(BP) will create UDP 500 and UDP 4500 endpoints on the NAT firewall which is forwarded to the Firewall VPN termination.

Because of this, the (BP) needs of my dissertation support encapsulation of ESP over UDP (NAT - T)

My series of ASA5500 using the code (825) has the statements

Crypto isakmp nat-traversal 21
crypto ISAKMP ipsec-over-tcp port 10000

VPN # match address BP_VPN crypto card
VPN # set peer (peer_ip) crypto card
VPN # game of transformation-AES_256_SHA crypto card

IPSec-l2l type tunnel-group (peer_ip)
IPSec-attributes of tunnel-group (peer_ip)
pre-shared key (TBD)

BP_VPN list extended access permit tcp host 10.x.x.x, 172.16.x.x eq (specified port) host
BP_VPN list extended access permit tcp host 10.x.x.y host 172.16.x.x eq (specified port)

NatExempt_VPN list extended access permit tcp host 10.x.x.x, 172.16.x.x eq (specified port) host
NatExempt_VPN list extended access permit tcp host 10.x.x.y host 172.16.x.x eq (specified port)

Please indicate whether these statements are sufficient and if not what else would be needed.

You need not order
```
crypto isakmp ipsec-over-tcp port 10000
```
It is for the exclusive implementation that was used before NAT - T is available. You only need to nat-traversal active. For your ACL, using ports in there makes everything complicated. You should see if you can just use 'ip' here. If there is already configured on your ASA virtual private networks, then the config is probably ok. If this isn't the case, you must always configure ISAKMP and activate the encryption on the interface card.

nat ASA 5520 problem

Hi I have a Cisco Asa 5520 and I want to vpn site-to-site by using another interface with a carrier of lan to lan, the problem is when I try to pass traffic have the syslog error to follow:

No translation not found for udp src lan2lan:10.5.50.63/44437 dst colo: biggiesmalls groups / 897

LAN to LAN service interface is called: lan2lan
one of the internal interfaces is called: colo

I think that is problem with Nat on the SAA but I need help with this.

Config:

!
interface GigabitEthernet0/0
nameif outside
security-level 0
eve of fw - ext 255.255.255.0 address IP XXaaaNNaa
OSPF cost 10
OSPF network point-to-point non-broadcast
!
interface GigabitEthernet0/1
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/1.50
VLAN 50
nameif lb
security-level 20
IP 10.1.50.11 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet0/1,501
VLAN 501
nameif colo
security-level 90
eve of fw - int 255.255.255.0 172.16.2.253 IP address
OSPF cost 10
!
!
interface GigabitEthernet1/1
Door-Lan2Lan description
nameif lan2lan
security-level 0
IP 10.100.50.1 255.255.255.248
!
access extensive list ip 10.1.0.0 lan2lan_cryptomap_51 allow 255.255.0.0 object-group elo
permit access list extended ip sfnet 255.255.255.0 lan2lan_cryptomap_51 object-group elo
pager lines 24
Enable logging
host colo biggiesmalls record
No message logging 313001
External MTU 1500
MTU 1500 lb
MTU 1500 Colo
lan2lan MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ARP timeout 14400
NAT-control
Global 1 interface (external)
interface of global (lb) 1
Global (colo) 1 interface
NAT (lb) 1 10.1.50.0 255.255.255.0
NAT (colo) - access list 0 colo_nat0_outbound
NAT (colo) 1 10.1.13.0 255.255.255.0
NAT (colo) 1 10.1.16.0 255.255.255.0
NAT (colo) 1 0.0.0.0 0.0.0.0
external_access_in access to the external interface group
Access-group lb_access_in in lb interface
Access-group colo_access_in in interface colo
Access-group management_access_in in management of the interface
Access-group interface lan2lan lan2lan
!
Service resetoutside
card crypto match 51 lan2lan_map address lan2lan_cryptomap_51
lan2lan_map 51 crypto map set peer 10.100.50.2
card crypto lan2lan_map 51 game of transformation-ESP-3DES-SHA
crypto lan2lan_map 51 set reverse-road map
lan2lan_map interface lan2lan crypto card
quit smoking
ISAKMP crypto identity hostname
ISAKMP crypto enable lan2lan
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 20
enable client-implementation to date
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key xxXnnAA
tunnel-group 10.100.50.2 type ipsec-l2l
tunnel-group 10.100.50.2 General-attributes
Group Policy - by default-site2site
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
Telnet timeout 5
!

The VPN is OK? ("' isakmp crypto to show his" should show a MM_Active tunnel to the peer address ")

Normally exempt us VPN site-to-site of NAT traffic. This could be your problem. If you can share your configuration, we can have a look.

p.s. you should affect the question of the security / VPN forum.

Config NAT - T problem

Hello. We are currently setting up a v8.0 (2) running ASA5510. We have the NAT traversal for ipsec configuration using:

Crypto isakmp nat-traversal 20

It works very well. The problem is that whenever I write the config (write mem) it does not keep this setting in the startup-config. A 'show running-config' immediately after a recharge contains the line:

No encryption isakmp nat-traversal

If I edit the config in a txt editor and add "crypto isakmp nat-traversal 20", then copy it to the startup-config, it works. It's not enough, as it lasts only until the next time that the config is updated by a "write mem" command, which case it is invalid later.

Is this a bug in 8.0 (2)? Is it possible to add a persistent entry in the config of the SAA which is * always * retained when a "write mem" command is issued? Any help/advice appreciated.

Thank you.

Yes, a bug has been filed for this:

CSCsj52581

Check the details of the bug here:

http://www.Cisco.com/cgi-bin/support/Bugtool/home.pl

~ Rohit

VPN through NAT

Hello

I configured a PIX (6.3) for (4.0.2) VPN clients. When I try to connect using a dial-up connection, I am able to connect, but using a NAT (through a router) I stay connected but cannot access all the servers. It shows the decryption of zero packets.

Is their something I need to do on PIX? I'm using IPSEC.

Help, please.

NAT, or more precisely of PAT, will usually break an IPSec connection. Fortunately, there is a new standard called NAT - T that has each end detect that they are going through a NAT/PAT device, and if so, they'll wrap everything in UDP packets, which can then be NAT correctly.

The customer has of this feature is automatically enabled. On the PIX to put on with the command:

> isakmp nat-traversal

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312 for more details.

VPN via a natted router

Hello

I think that vpn via nat is 'enabled' in the 6.3.1 software for the pix? I have problems to run. Can someone give me directions, including everything I need to know about the router?

I guess that everything that I have to do is create a static nat from 1 to 1 of the legal IP outside the pix outside IP router? Then configure the vpn as usual to accept vpn as usual (I use the 4.0.1 cisco client).

I'd appreciate any help.

Thanks for your time

Andy

I think that you need to configure the NAT-Traversal, the command to do this is isakmp nat-traversal]

NAT - T can be enabled or disabled:

By default? OFF for site to site tunnels

By default? We'RE for hardware and software VPN clients

PAT/NAT and VPN through a PIX

"PPTP through the PIX with Port address translation (PAT) does not work because there is no concept of ports in GRE"-this is an excerpt from a config PIX version 6.2 and below.

1. how this problem has been fixed in 6.3? GRE is encapsulated in udp or tcp to use ports to follow the connection?

2. is it "fixup protocol esp-ike" use the same technology - the source port created by the IKE protocol? -ISAKMP cannot be enabled when you use this command

3. What is "isakmp nat-traversal? How is this different from fixup protocol esp-ike"

Thank you

RJ

1. when the PIX sees outgoing PPTP (TCP 1723 port) packets it now opens holes for them to return, as well as opening a hole for the GRE packets, it has never done this before. The PPTP TCP packets can be PAT would be fine because they are TCP packets. GRE packets, I believe, are followed by the id field only tunnel in the package.

2. we use the source port of the ISAKMP packet for ESP packets as well. The current limitation is that if you have this option, you cannot use the PIX to close the IPSec sessions, so you can not turn on ISAKMP any interface. You can also have only a single IPSec client internal to use this feature.

3 NAT - T is a new standard for IPSec to work through a NAT device peers, because they detect changes of address during the negotiation of tunnel and automatically encapsulate packets in UDP 4500. This market allows the PIX and the other device (if it supports it) to automatically detect a NAT/PAT device between them. This differs from the "esp - ike correction '' that the PIX ends not in fact the IPSec tunnel with esp - ike, but it is the endpoint in nat - t.

Outgoing NAT does not not for a VPN L2L

We have an ASA5510 which has two LAN to LAN IPSEC VPN configured. VPN tunnels themselves are on the rise and a VPN works great. But the other VPN is not working properly the outgoing NAT traffic (inbound is very well of all the VPN endpoints). When I ping from the ASA using 'ping inside the 10.200.4.x', it works. When I ping from a box sitting inside the subnet I get the following error in the ASA logs:

failed to create translation portmap for udp src inside:10.26.32.2/137 dst outside:10.200.4.x/137

I would really appreciate if someone could tell what I did wrong with the NAT or routing configuration. This is the first time I setup two L2L VPN on a SAA. The relevant parts of the configuration below, are properly anonymized.

Edit: I forgot to mention that, once it works I need then for the inbound NAT to web.server.public.ip to 10.26.32.2 and add ACL entries for www and https.

Thank you

Matt.

interface Ethernet0/0

nameif outside

security-level 0

IP 1.2.3.33 255.255.255.248

!

interface Ethernet0/2

nameif inside

security-level 100

IP 10.26.32.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

IP 192.168.61.1 255.255.255.0

management only

!

access extensive list ip 10.26.32.0 outside_1_cryptomap_1 allow 255.255.255.0 192.168.0.0 255.255.0.0

access extensive list ip 10.26.32.0 outside_20_cryptomap_1 allow 255.255.255.0 10.200.4.0 255.255.255.0

ICMP allow any inside

ARP timeout 14400

NAT (inside) 0-list of access outside_1_cryptomap_1

NAT (inside) 1 access-list outside_20_cryptomap_1

NAT (inside) 2 0.0.0.0 0.0.0.0

Route outside 10.200.4.0 255.255.255.0 broken.vpn.endpoint.ip 1

Route outside 0.0.0.0 0.0.0.0 gateway.ip.address.here 1

Route outside 192.168.0.0 255.255.0.0 working.vpn.endpoint.ip 1

the ssh LOCAL console AAA authentication

http 192.168.61.0 255.255.255.0 management

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-SHA-256 aes-256-esp esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

SYSTEM_DEFAULT_CRYPTO_MAP game 65535 dynamic-map crypto transform-set ESP-3DES-SHA

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define security association lifetime 28800 seconds

cryptographic kilobytes 4608000 life of the set - the association of security of the 65535 SYSTEM_DEFAULT_CRYPTO_MAP of the dynamic-map

card crypto outside_map 1 match address outside_1_cryptomap_1

card crypto outside_map 1 set pfs

card crypto outside_map 1 set working.vpn.endpoint.ip counterpart

card crypto outside_map 1 set of transformation-ESP-3DES-SHA

outside_map map 1 lifetime of security association set seconds 28800 crypto

card crypto outside_map 1 set security-association life kilobytes 4608000

card crypto outside_map 20 match address outside_20_cryptomap_1

card crypto outside_map 20 set pfs

card crypto outside_map 20 peers set broken.vpn.endpoint.ip

outside_map crypto 20 card value transform-set ESP-SHA-256

life safety association set card crypto outside_map 20 28800 seconds

card crypto outside_map 20 set security-association life kilobytes 4608000

outside_map interface card crypto outside

ISAKMP allows outside

part of pre authentication ISAKMP policy 10

ISAKMP policy 10 3des encryption

ISAKMP policy 10 sha hash

10 2 ISAKMP policy group

ISAKMP life duration strategy 10 86400

part of pre authentication ISAKMP policy 20

ISAKMP policy 20 aes-256 encryption

ISAKMP policy 20 chopping sha

20 5 ISAKMP policy group

ISAKMP duration strategy of life 20 86400

ISAKMP nat-traversal 20

tunnel-group working.vpn.endpoint.ip type ipsec-l2l

working.VPN.endpoint.IP Group of tunnel ipsec-attributes

pre-shared-key *.

tunnel-group broken.vpn.endpoint.ip type ipsec-l2l

broken.VPN.endpoint.IP Group of tunnel ipsec-attributes

pre-shared-key *.

Telnet timeout 5

Console timeout 0

management-access inside

192.168.61.2 management - dhcpd addresses 192.168.61.254

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

Policy-map global_policy

class inspection_default

inspect the dns-length maximum 512

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

!

global service-policy global_policy

These 2 lines are incorrect. The list of access crypto-list and you should not only applied to the NAT statement.

NAT (inside) 0-list of access outside_1_cryptomap_1

NAT (inside) 1 access-list outside_20_cryptomap_1

Please remove the 2 statements of NAT above, but keep the access list because those that are applied to the card encryption.

Then you must configure the following:

10.26.32.0 IP Access-list extended sheep 255.255.255.0 allow 192.168.0.0 255.255.0.0

IP 10.26.32.0 allow Access-list extended sheep 255.255.255.0 10.200.4.0 255.255.255.0

NAT (inside) 0 access-list sheep

Once the changes above, pls make "clear xlate.

Hope that helps.

NAT traversal broken after upgrade to 7.04

We had the work of nat crossing very well on our PIX

Bundle of 515e run worm 6.3.4

For ah, esp, iskmp, in the port udp 500.

crossing of nat enabled. Sysopt permit-ipsec.

behind the pix, users can estrablish vpn connections, but traffic does not pass. users can establish vpn & pass traffic very well when they are in front of the pix. Users connect to different devices vpn as we have no control or access to

Hi Eric,.

If I understand correctly, the error only occurs for users behind your pix for an upgrade to 704?

Check if the following statements are present in your pix config:

ISAKMP nat-traversal 20

ISAKMP ipsec-over-tcp port 10000

ISAKMP allows outside

Also, the error can occur because of some missing list access for users behind the pix.

HTH

Mike

Remote access via NAT VPN client

I currently have a PIX506e configured to provide access to the Cisco VPN Clients remote vpn. A single client can connect successfully and have access to the planned network. However, as soon as I connect an additional client to the firewall from the same place (the two addresses are translated under the same address) the two tunnels will stop working or could not connect.

Is the problem that I face, because two customers have the same address public after NAT, or is - it something else? Is there a way to get around this?

Hello

A lot of THAT NAT will not work if you use ESP.

The solution for this is to allow NAT - t on PIX and VPN client.

PIX:

The following command active NAT - T (for codes plus late 6.3)

ISAKMP nat-traversal

The VPN Client:

On the Transport tab, under the tab "Enable Transport Tunneling" & select "IPSec over UDP (NAT/PAT).

HTH

Kind regards

GE.

Coming out of the IPSec VPN connection behind Pix535 problem: narrowed down for NAT-Associates

Hello world

Previously, I've seen a similar thread and posted my troubles with the outbound VPN connections inside that thread:

https://supportforums.Cisco.com/message/3688980#3688980

I had the great help but unfortunatedly my problem is a little different and connection problem. Here, I summarize once again our configurations:

hostname pix535 8.0 (4)

all PC here use IP private such as 10.1.0.0/16 by dynamic NAT, we cannot initiate an OUTBOUND IPSec VPN (for example QuickVPN) at our offices, but the reverse (inbound) is very well (we have IPsec working long server /PP2P). I did a few tests of new yesterday which showed that if the PC a static NAT (mapped to a real public IP), outgoing connection VPN is fine; If the same PC has no static NAT (he hides behind the dynamic NAT firewall), outgoing VPN is a no-go (same IP to the same PC), so roughly, I have narrowed down our connection problem VPN is related to NAT, here are a few commands for NAT of our PIX:

interface GigabitEthernet0
Description to cable-modem
nameif outside
security-level 0
IP 70.169.X.X 255.255.255.0
OSPF cost 10
!
interface GigabitEthernet1
Description inside 10/16
nameif inside
security-level 100
IP 10.1.1.254 255.255.0.0
OSPF cost 10
!
!
interface Ethernet2
Vlan30 description
nameif dmz2
security-level 50
IP 30.30.30.30 255.255.255.0
OSPF cost 10
!
permit same-security-traffic inter-interface
permit same-security-traffic intra-interface

......

Global interface 10 (external)
Global (dmz2) interface 10
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 10 inside8 255.255.255.0
NAT (inside) 10 Vlan10 255.255.255.0
NAT (inside) 10 vlan50 255.255.255.0
NAT (inside) 10 192.168.0.0 255.255.255.0
NAT (inside) 10 192.168.1.0 255.255.255.0
NAT (inside) 10 192.168.10.0 255.255.255.0
NAT (inside) 10 pix-inside 255.255.0.0

Crypto isakmp nat-traversal 3600

-------

Results of packet capture are listed here for the same PC for the same traffic to Server VPN brach, the main difference is UDP 4500 (PC with static NAT has good traffic UDP 4500, does not have the same PC with dynamic NAT):

#1: when the PC uses static NAT, it is good of outgoing VPN:

54 packets captured
1: 15:43:51.112054 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
2: 15:43:54.143028 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
3: 15:44:00.217273 10.1.1.82.1608 > 76.196.10.57.443: S 1763806634:1763806634 (0) win 64240
4: 15:44:01.724938 10.1.1.82.1609 > 76.196.10.57.60443: S 2904546955:2904546955 (0) win 64240
5: 15:44:01.784642 76.196.10.57.60443 > 10.1.1.82.1609: S 2323205974:2323205974 (0) ack 2904546956 win 5808
6: 15:44:01.784886 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323205975 win 64240
7: 15:44:01.785527 10.1.1.82.1609 > 76.196.10.57.60443: P 2904546956:2904547080 (124) ack 2323205975 win 64240
8: 15:44:01.856462 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547080 win 5808
9: 15:44:01.899596 76.196.10.57.60443 > 10.1.1.82.1609: P 2323205975:2323206638 (663) ack 2904547080 win 5808
10: 15:44:02.056897 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323206638 win 63577
11: 15:44:03.495030 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547080:2904547278 (198) ack 2323206638 win 63577
12: 15:44:03.667095 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547278 win 6432
13: 15:44:03.740592 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206638:2323206697 (59) ack 2904547278 win 6432
14: 15:44:03.741264 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547278:2904547576 (298) ack 2323206697 win 63518
15: 15:44:03.814029 76.196.10.57.60443 > 10.1.1.82.1609:. ACK 2904547576 win 7504
16: 15:44:06.989008 76.196.10.57.60443 > 10.1.1.82.1609: P 2323206697:2323207075 (378) ack 2904547576 win 7504
17: 15:44:06.990228 76.196.10.57.60443 > 10.1.1.82.1609: 2323207075:2323207075 F (0) ack 2904547576 win 7504
18: 15:44:06.990564 10.1.1.82.1609 > 76.196.10.57.60443:. ACK 2323207076 win 63140
19: 15:44:06.990656 10.1.1.82.1609 > 76.196.10.57.60443: P 2904547576:2904547613 (37) ack 2323207076 win 63140
20: 15:44:06.990854 10.1.1.82.1609 > 76.196.10.57.60443: 2904547613:2904547613 F (0) ack 2323207076 win 63140
21: 15:44:07.049359 76.196.10.57.60443 > 10.1.1.82.1609: R 2323207076:2323207076 (0) win 0
22: 15:44:17.055417 10.1.1.82.500 > 76.196.10.57.500: udp 276
23: 15:44:17.137657 76.196.10.57.500 > 10.1.1.82.500: udp 140
24: 15:44:17.161475 10.1.1.82.500 > 76.196.10.57.500: udp 224
25: 15:44:17.309066 76.196.10.57.500 > 10.1.1.82.500: udp 220
26: 15:44:17.478780 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
27: 15:44:17.550356 76.196.10.57.4500 > 10.1.1.82.4500: 64 udp
28: 15:44:17.595214 10.1.1.82.4500 > 76.196.10.57.4500: udp 304
29: 15:44:17.753470 76.196.10.57.4500 > 10.1.1.82.4500: udp 304
30: 15:44:17.763037 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
31: 15:44:17.763540 10.1.1.82.4500 > 76.196.10.57.4500: udp 56
32: 15:44:18.054516 10.1.1.82.4500 > 76.196.10.57.4500: udp 68
33: 15:44:18.124840 76.196.10.57.4500 > 10.1.1.82.4500: udp 68
34: 15:44:21.835390 10.1.1.82.4500 > 76.196.10.57.4500: udp 72
35: 15:44:21.850831 10.1.1.82.4500 > 76.196.10.57.4500: udp 80
36: 15:44:21.901183 76.196.10.57.4500 > 10.1.1.82.4500: udp 72
37: 15:44:22.063747 10.1.1.82.1610 > 76.196.10.57.60443: S 938188365:938188365 (0) win 64240
38: 15:44:22.104746 76.196.10.57.4500 > 10.1.1.82.4500: udp 80
39: 15:44:22.122277 76.196.10.57.60443 > 10.1.1.82.1610: S 1440820945:1440820945 (0) ack 938188366 win 5808
40: 15:44:22.122536 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440820946 win 64240
41: 15:44:22.123269 10.1.1.82.1610 > 76.196.10.57.60443: P 938188366:938188490 (124) ack 1440820946 win 64240
42: 15:44:22.187108 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188490 win 5808
43: 15:44:22.400675 76.196.10.57.60443 > 10.1.1.82.1610: P 1440820946:1440821609 (663) ack 938188490 win 5808
44: 15:44:22.474600 10.1.1.82.1610 > 76.196.10.57.60443: P 938188490:938188688 (198) ack 1440821609 win 63577
45: 15:44:22.533648 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938188688 win 6432
46: 15:44:22.742286 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821609:1440821668 (59) ack 938188688 win 6432
47: 15:44:22.742927 10.1.1.82.1610 > 76.196.10.57.60443: P 938188688:938189002 (314) ack 1440821668 win 63518
48: 15:44:22.802570 76.196.10.57.60443 > 10.1.1.82.1610:. ACK 938189002 win 7504
49: 15:44:25.180486 76.196.10.57.60443 > 10.1.1.82.1610: P 1440821668:1440821934 (266) ack 938189002 win 7504
50: 15:44:25.181753 76.196.10.57.60443 > 10.1.1.82.1610: 1440821934:1440821934 F (0) ack 938189002 win 7504
51: 15:44:25.181997 10.1.1.82.1610 > 76.196.10.57.60443:. ACK 1440821935 win 63252
52: 15:44:25.182134 10.1.1.82.1610 > 76.196.10.57.60443: P 938189002:938189039 (37) ack 1440821935 win 63252
53: 15:44:25.182333 10.1.1.82.1610 > 76.196.10.57.60443: 938189039:938189039 F (0) ack 1440821935 win 63252
54: 15:44:25.241869 76.196.10.57.60443 > 10.1.1.82.1610: R 1440821935:1440821935 (0) win 0

#2: same PC with Dynamic NAT, VPN connection fails:

70 packets captured
1: 14:08:31.758261 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
2: 14:08:34.876907 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
3: 14:08:40.746055 10.1.1.82.1073 > 76.196.10.57.443: S 820187495:820187495 (0) win 64240
4: 14:08:42.048627 10.1.1.82.1074 > 76.196.10.57.60443: S 3309127022:3309127022 (0) win 64240
5: 14:08:42.120248 76.196.10.57.60443 > 10.1.1.82.1074: S 1715577781:1715577781 (0) ack 3309127023 win 5808
6: 14:08:42.120568 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715577782 win 64240
7: 14:08:42.121102 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127023:3309127147 (124) ack 1715577782 win 64240
8: 14:08:42.183553 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127147 win 5808
9: 14:08:42.232867 76.196.10.57.60443 > 10.1.1.82.1074: P 1715577782:1715578445 (663) ack 3309127147 win 5808
10: 14:08:42.405145 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578445 win 63577
11: 14:08:43.791340 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127147:3309127345 (198) ack 1715578445 win 63577
12: 14:08:43.850450 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127345 win 6432
13: 14:08:44.028196 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578445:1715578504 (59) ack 3309127345 win 6432
14: 14:08:44.058544 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127345:3309127643 (298) ack 1715578504 win 63518
15: 14:08:44.116403 76.196.10.57.60443 > 10.1.1.82.1074:. ACK 3309127643 win 7504
16: 14:08:47.384654 76.196.10.57.60443 > 10.1.1.82.1074: P 1715578504:1715578882 (378) ack 3309127643 win 7504
17: 14:08:47.385417 76.196.10.57.60443 > 10.1.1.82.1074: 1715578882:1715578882 F (0) ack 3309127643 win 7504
18: 14:08:47.394068 10.1.1.82.1074 > 76.196.10.57.60443:. ACK 1715578883 win 63140
19: 14:08:47.394922 10.1.1.82.1074 > 76.196.10.57.60443: P 3309127643:3309127680 (37) ack 1715578883 win 63140
20: 14:08:47.395151 10.1.1.82.1074 > 76.196.10.57.60443: 3309127680:3309127680 F (0) ack 1715578883 win 63140
21: 14:08:47.457633 76.196.10.57.60443 > 10.1.1.82.1074: R 1715578883:1715578883 (0) win 0
22: 14:08:57.258073 10.1.1.82.500 > 76.196.10.57.500: udp 276
23: 14:08:57.336255 76.196.10.57.500 > 10.1.1.82.500: udp 40
24: 14:08:58.334211 10.1.1.82.500 > 76.196.10.57.500: udp 276
25: 14:08:58.412850 76.196.10.57.500 > 10.1.1.82.500: udp 40
26: 14:09:00.333311 10.1.1.82.500 > 76.196.10.57.500: udp 276
27: 14:09:00.410730 76.196.10.57.500 > 10.1.1.82.500: udp 40
28: 14:09:02.412561 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
29: 14:09:04.349164 10.1.1.82.500 > 76.196.10.57.500: udp 276
30: 14:09:04.431648 76.196.10.57.500 > 10.1.1.82.500: udp 40
31: 14:09:05.442710 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
32: 14:09:11.380427 10.1.1.82.1075 > 76.196.10.57.443: S 968016865:968016865 (0) win 64240
33: 14:09:12.349926 10.1.1.82.500 > 76.196.10.57.500: udp 276
34: 14:09:12.421502 10.1.1.82.1076 > 76.196.10.57.60443: S 3856215672:3856215672 (0) win 64240
35: 14:09:12.430794 76.196.10.57.500 > 10.1.1.82.500: udp 40
36: 14:09:12.481832 76.196.10.57.60443 > 10.1.1.82.1076: S 248909856:248909856 (0) ack 3856215673 win 5808
37: 14:09:12.527972 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248909857 win 64240
38: 14:09:12.529238 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215673:3856215797 (124) ack 248909857 win 64240
39: 14:09:12.608275 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215797 win 5808
40: 14:09:12.658581 76.196.10.57.60443 > 10.1.1.82.1076: P 248909857:248910520 (663) ack 3856215797 win 5808
41: 14:09:12.664531 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215797:3856215995 (198) ack 248910520 win 63577
42: 14:09:12.725533 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856215995 win 6432
43: 14:09:12.880813 76.196.10.57.60443 > 10.1.1.82.1076: P 248910520:248910579 (59) ack 3856215995 win 6432
44: 14:09:12.892272 10.1.1.82.1076 > 76.196.10.57.60443: P 3856215995:3856216293 (298) ack 248910579 win 63518
45: 14:09:12.953029 76.196.10.57.60443 > 10.1.1.82.1076:. ACK 3856216293 win 7504
46: 14:09:12.955043 76.196.10.57.60443 > 10.1.1.82.1076: 248910579:248910579 F (0) ack 3856216293 win 7504
47: 14:09:12.955242 10.1.1.82.1076 > 76.196.10.57.60443:. ACK 248910580 win 63518
48: 14:09:12.955516 10.1.1.82.1076 > 76.196.10.57.60443: P 3856216293:3856216330 (37) ack 248910580 win 63518
49: 14:09:12.955730 10.1.1.82.1076 > 76.196.10.57.60443: 3856216330:3856216330 F (0) ack 248910580 win 63518
50: 14:09:13.019743 76.196.10.57.60443 > 10.1.1.82.1076: R 248910580:248910580 (0) win 0
51: 14:09:16.068691 10.1.1.82.500 > 76.196.10.57.500: udp 56
52: 14:09:16.227588 10.1.1.82.1077 > 76.196.10.57.60443: S 3657181617:3657181617 (0) win 64240
53: 14:09:16.283783 76.196.10.57.60443 > 10.1.1.82.1077: S 908773751:908773751 (0) ack 3657181618 win 5808
54: 14:09:16.306823 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908773752 win 64240
55: 14:09:16.307692 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181618:3657181742 (124) ack 908773752 win 64240
56: 14:09:16.370998 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181742 win 5808
57: 14:09:16.411935 76.196.10.57.60443 > 10.1.1.82.1077: P 908773752:908774415 (663) ack 3657181742 win 5808
58: 14:09:16.417870 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181742:3657181940 (198) ack 908774415 win 63577
59: 14:09:16.509388 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657181940 win 6432
60: 14:09:16.708413 76.196.10.57.60443 > 10.1.1.82.1077: P 908774415:908774474 (59) ack 3657181940 win 6432
61: 14:09:16.887100 10.1.1.82.1077 > 76.196.10.57.60443: P 3657181940:3657182254 (314) ack 908774474 win 63518
62: 14:09:16.948193 76.196.10.57.60443 > 10.1.1.82.1077:. ACK 3657182254 win 7504
63: 14:09:19.698465 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
64: 14:09:19.699426 76.196.10.57.60443 > 10.1.1.82.1077: 908774740:908774740 F (0) ack 3657182254 win 7504
65: 14:09:20.060162 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
66: 14:09:20.062191 76.196.10.57.60443 > 10.1.1.82.1077: P 908774474:908774740 (266) ack 3657182254 win 7504
67: 14:09:20.063732 10.1.1.82.1077 > 76.196.10.57.60443:. ACK 908774741 win 63252
68: 14:09:20.063900 10.1.1.82.1077 > 76.196.10.57.60443: P 3657182254:3657182291 (37) ack 908774741 win 63252
69: 14:09:20.064098 10.1.1.82.1077 > 76.196.10.57.60443: 3657182291:3657182291 F (0) ack 908774741 win 63252
70: 14:09:20.127694 76.196.10.57.60443 > 10.1.1.82.1077: R 908774741:908774741 (0) win 0
70 packages shown

We had this problem of connection VPN IPsec from the years (I first thought it is restriction access problem, but it does not work or if I disable all access lists, experience of yesterday for the same restriction of the access-list shows longer than PC is not the cause). All suggestions and tips are greatly appreciated.

Sean

Hi Sean, please remove th lines highlighted in your pix and try and let me know, that these lines are not the default configuration of the PIX.

VPN-udp-class of the class-map

corresponds to the list of access vpn-udp-acl

vpn-udp-policy policy-map

VPN-udp-class

inspect the amp-ipsec

type of policy-card inspect dns migrated_dns_map_1

parameters

message-length maximum 768

Policy-map global_policy

class inspection_default

inspect the migrated_dns_map_1 dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the http

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

inspect the pptp

inspect the amp-ipsec

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

IP verify reverse path to the outside interface

Thank you

Rizwan James

ISAKMP nat - t

Similar Questions

Maybe you are looking for