From: Jian Gu (guxiaojian@gmail.com)
Date: Mon Dec 01 2008 - 18:39:31 ARST
It does not seem to be a NAT-T issue, from your description, NAT-T has to be
turned on, otherwise IPsec won't establish at all. What does PIX syslog say
about why IPsec tunnel is disconnected?
On Mon, Dec 1, 2008 at 11:47 AM, Akber Ali Mirza
<akberali.cisco@gmail.com>wrote:
> Hi Jian,
>
> This is a Client-to-site VPN to Nortel VPN Box.Do we really need NAT -T
> case in Client-to-Site VPN (C2s) as the VPN is only located at the Remote
> end and from our end we have used PAT through ISP for reaching the
> destination.
>
> Do we need to enable NAT -T for devices which are using NAT/PAT as my
> external PIX using PAT .
>
> We are not convinced about this recommnendation provided by the Vendor for
> this issue, hence request your further advice.
>
> Cuurent issue:- My users who use C2S VPN to access remote end faces
> intermittent disconection 10 out of 30 users on a daybasis for 5mins, after
> flushing all the connections on my External pix firewall , all the 30 usrs
> will be able to login.
>
> I am looking for the Root cause.
>
>
>
> Thanks and Regards,
> Akber Mirza.
>
>
>
>
>
> On Tue, Dec 2, 2008 at 12:03 AM, Jian Gu <guxiaojian@gmail.com> wrote:
>
>> What do you mean by turn on NAT-T between internal firewall and remote
>> VPN? your internal firewall does not terminate IPsec, your IPsec VPN is
>> between PIX515E and Nortel VPN client. Besides, NAT-T is a one line global
>> configuration, you don't specify which IPsec peer to use NAT-T, once
>> enabled, IPsec will automatically detect NAT.
>>
>> On Mon, Dec 1, 2008 at 5:19 AM, Akber Ali Mirza <
>> akberali.cisco@gmail.com> wrote:
>>
>>> Hi Experts,
>>>
>>> Could you please Answer the below query .
>>>
>>> ( I know this forum is not meant for other than CCIE LAB, I apologise for
>>> it)
>>>
>>> Best Regards,
>>> Akber Mirza.
>>>
>>> On Mon, Dec 1, 2008 at 2:04 PM, Akber Ali Mirza <
>>> akberali.cisco@gmail.com>wrote:
>>>
>>> > Hi ,
>>> >
>>> > I have IPSEC configured between local end -Cisco PIX 515E & Remote
>>> end
>>> > device - Nortel VPN box . Users from Local end use VPN
>>> >
>>> > to access Remote end applciations. But I am facing issues like VPN
>>> > disconnections ( 10 users out of 30) intermittently. After i perform
>>> clear
>>> > all the sessions from Cisco PIX firewall users who are facing problem
>>> are
>>> > able to connect back to the VPN with out any issues.
>>> >
>>> > My Network :-
>>> >
>>> > user PC ----> Coreswitch--> Netscreen Internal Firewall ----> Cisco PIX
>>> > External firewall 6.2OS ver----> ISP Provider -------> Remote end
>>> Nortel
>>> > VPN.
>>> >
>>> > When we checked with our vendor Cisco theya re suggesting us to enable
>>> > NAT-T between our Internal Firewall & Remote VPN to overcome this
>>> issue.
>>> >
>>> > Please let us know do we need this option to enable. Also let me know
>>> other
>>> > possibilities for causing this issue.
>>> >
>>> >
>>> > Thanks and Regards,
>>> > Akber Mirza.
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:07 ARST