Micha,

Yes, this sounds like a nat-traversal issue. Add the "isakmp nat- =

traversal 20" command to your config and see if that helps.

Good luck!

Dana

---
Dana J. Dawson Dana.Dawson@qwest.com
Sr. Staff Engineer CCIE #1937
Qwest Communications JNCIA-FWV
600 Stinson Blvd., Suite 1S
Minneapolis MN 55413-2620

On =95 Friday, Jan 6 =95 8:53:23 AM, at 8:53 AM, Michael Arndt wrote:

> Hello *
>
> Problem: Access of a windows rdesktop client over a NAT/PAT VPN
> does not work when the VPN is build over a nat-ed network
> The access works when the client computer accesses the pix =


> only
> via direct link ( e.g. DSL access )
>
> clientPC(rdesktop,cisco-vpnclient NAT/PAT) -> PIX -> targetserver =


> works
> clientPC(rdesktop,cisco-vpnclient NAT/PAT) -> (linux firewall,NAT) - =


> > PIX -> targetserver works NOT

>
> Since i don't know if attachments are acceptable below
> snippets i think are relevant from PIX ( addresses modified )
> Somwhere on this list i found hints regarding: isakmp nat-traversal
> Does that apply for the given situtaion ?
>
> Has anyone hints, where to look ?
>
> TIA
> Micha
>
> PIX Version 6.3(3)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
>
> access-list inside_outbound_nat0_acl permit ip any 192.168.7.96 =


> 255.255.255.224
> access-list outside_cryptomap_dyn_20 permit ip any 192.168.7.96 =


> 255.255.255.224
> access-list outside_cryptomap_dyn_40 permit ip any 192.168.7.96 =


> 255.255.255.224
>
> ip address outside 123.45.152.168 255.255.255.192
> ip address inside 192.168.7.4 255.255.255.0
>
> ip local pool VPN 192.168.7.100-192.168.7.120
>
> global (outside) 1 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> route outside 0.0.0.0 0.0.0.0 123.45.152.129 1
>
> sysopt connection permit-ipsec
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto dynamic-map outside_dyn_map 20 match address =


> outside_cryptomap_dyn_20
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
> crypto dynamic-map outside_dyn_map 40 match address =


> outside_cryptomap_dyn_40
> crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map client authentication LOCAL
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption 3des
> isakmp policy 20 hash md5
> isakmp policy 20 group 2
> isakmp policy 20 lifetime 86400
>
> vpngroup VPN address-pool VPN
> vpngroup VPN dns-server 123.45.1.3 123.45.1.31
> vpngroup VPN idle-time 1800
>
> dhcpd address 192.168.7.5-192.168.7.36 inside
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd auto_config outside
> Cryptochecksum:xxx
> : end
> [OK]
>
>
>
> _______________________________________________
> VPN mailing list
> VPN@lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn


_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn