Hello *

Problem: Access of a windows rdesktop client over a NAT/PAT VPN
does not work when the VPN is build over a nat-ed network
The access works when the client computer accesses the pix only
via direct link ( e.g. DSL access )

clientPC(rdesktop,cisco-vpnclient NAT/PAT) -> PIX -> targetserver works
clientPC(rdesktop,cisco-vpnclient NAT/PAT) -> (linux firewall,NAT) -> PIX -> targetserver works NOT

Since i don't know if attachments are acceptable below
snippets i think are relevant from PIX ( addresses modified )
Somwhere on this list i found hints regarding: isakmp nat-traversal
Does that apply for the given situtaion ?

Has anyone hints, where to look ?

TIA
Micha

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

access-list inside_outbound_nat0_acl permit ip any 192.168.7.96 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any 192.168.7.96 255.255.255.224
access-list outside_cryptomap_dyn_40 permit ip any 192.168.7.96 255.255.255.224

ip address outside 123.45.152.168 255.255.255.192
ip address inside 192.168.7.4 255.255.255.0

ip local pool VPN 192.168.7.100-192.168.7.120

global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 123.45.152.129 1

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

vpngroup VPN address-pool VPN
vpngroup VPN dns-server 123.45.1.3 123.45.1.31
vpngroup VPN idle-time 1800

dhcpd address 192.168.7.5-192.168.7.36 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
Cryptochecksum:xxx
: end
[OK]



_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn