[c-nsp] Problem with cisco VPN, help please
MOUHA Mohamed Sadok
ms_mouha at yahoo.fr
Sat Aug 13 05:10:34 EDT 2005
Sorry, I forgot to give you my config. I have one public IP which is used by a modem / Routeur ADSL. I can't get another public IP Address. My pix is behind this modem router and has the address of 192.168.99.250. I configured the modem / routeur to send all packet to the pix (I have created a DMZ for the pix so he recieves every thing). So, the pix recieves correctly the response of the remote vpn gateway but does nothing. Why? I don't know, very strange. It seems that the pix "reject" the packet?
I'm thinking about upgrading from 6.3 to 7.0 but I'm not sure that it resolves the problem. Also, I have a 3des activation key for the 6.3 and I'm not sure that it'll work for the 7.0. Does it?
Thanks again
Joel M Snyder <Joel.Snyder at Opus1.COM> a écrit :
> thank you for your help. Yes my VPN gateway is nated. The guy in the
> other side tell me that he recieves my packet, respond and then he
> recieves nothing (time out). It seems that I'm not receiving his
> response? I have activated the debug packet from the distant gateway, it
> gives :
> -- IP --
> xxx.xxx.xxx.xxx ==> 192.168.99.250
So, this says that he's generating a response to your MM packet 1, but
that response is going back to a 192.168.x.x address. Unless he has
some magic way of getting back to that address, this is a big part of
the problem. It actually looks like you're NOT being NATed, because the
response is going back to this 192.168 address.
I think that we'd need a lot more detail about who is being NATed (or
NAPTed), what system is doing tha NATing (i.e., it is smart enough to
deal with IKE+IPsec), and what your new external address is, in order to
figure it out. But the problem is somewhere in the combination of the
NAT/NAPT, the IKE peer identities, and how you might be doing
authentication.
Your life will be immeasurably easier if you can get the external IKE
address of your VPN gateway in an un-NATed state.
jms
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
jms at Opus1.COM http://www.opus1.com/jms Opus One
---------------------------------
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez le ici !
More information about the cisco-nsp
mailing list