https://community.cisco.com/t5/network-security/vpn-client-problems/m-p/121351#M1060483 <HTML><HEAD></HEAD><BODY><P>I believe that PIX code 6.3 has a fix for this...Try the command "isakmp nat-traversal." I have never tested it, but if I understand it correctly, it should work.</P><P></P><P>Has anyone used this command?</P><P></P><P>HTH</P><P></P><P>Mike</P></BODY></HTML> Tue, 23 Sep 2003 19:08:56 GMT mklaphek 2003-09-23T19:08:56Z https://community.cisco.com/t5/network-security/vpn-client-problems/m-p/121348#M1060480 <P>I have VPN client Vers. 4.0 and need to connect to a PIX firewall across the internet. The problem I am having is that I can establish a tunnel, but am unable to utilize the application or even ping the application server on the other side. I am behind another PIX firewall and when I take my local PIX firewall out of the picture I can access the application that I need to upon establishing the tunnel. So it appears something in my local PIX firewall is allowing the establishment of the tunnel, however not allow anything after the fact. </P><P>I have tried a couple of things, "sysopt connection permit-ipsec", acl's, etc... and still can not get this to work. I ran into this problem before and changed from PAT to a NAT pool, which for one reason or another fixed my problem, however this time I do not have the IP addresses available to not run PAT. </P> Fri, 21 Feb 2020 06:58:46 GMT https://community.cisco.com/t5/network-security/vpn-client-problems/m-p/121348#M1060480 kerrow 2020-02-21T06:58:46Z https://community.cisco.com/t5/network-security/vpn-client-problems/m-p/121349#M1060481 <HTML><HEAD></HEAD><BODY><P>The application in question must be opening a return connection to a port that is not pre-defined. Thats why when you changed to NAT the application was accessible. Since you are using PAT you will not be able to connect to applications that operate on ports that are not pre-defined</P></BODY></HTML> Fri, 12 Sep 2003 19:41:04 GMT https://community.cisco.com/t5/network-security/vpn-client-problems/m-p/121349#M1060481 2003-09-12T19:41:04Z https://community.cisco.com/t5/network-security/vpn-client-problems/m-p/121350#M1060482 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You'll have to make sure that the PIX firewall to which you are establishing a tunnel has the image 6.3.x which supports the NAT-T feature. This feature will allow you to connect using a vpn client which is behind a device doing PAT.</P><P></P><P>You'll have to enable NAT-T. The command is </P><P>isakmp nat-traversal</P><P>More details can be found at</P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312</A></P><P>On the local PIX make sure that you open up udp 4500 ( used by NAT-T) </P><P></P><P>Thanks</P><P>Ranjana</P></BODY></HTML> Mon, 15 Sep 2003 06:30:08 GMT https://community.cisco.com/t5/network-security/vpn-client-problems/m-p/121350#M1060482 rjwalani 2003-09-15T06:30:08Z https://community.cisco.com/t5/network-security/vpn-client-problems/m-p/121351#M1060483 <HTML><HEAD></HEAD><BODY><P>I believe that PIX code 6.3 has a fix for this...Try the command "isakmp nat-traversal." I have never tested it, but if I understand it correctly, it should work.</P><P></P><P>Has anyone used this command?</P><P></P><P>HTH</P><P></P><P>Mike</P></BODY></HTML> Tue, 23 Sep 2003 19:08:56 GMT https://community.cisco.com/t5/network-security/vpn-client-problems/m-p/121351#M1060483 mklaphek 2003-09-23T19:08:56Z