topic Re: PIX 515 running 6.2(1) code - help required. in Network Security

PIX 515 running 6.2(1) code - help required.

OHITS-OPS — Fri, 21 Feb 2020 08:19:45 GMT

I have setup VPN client access to my PIX 515 running version 6.2 (1), now my problem is as follows:

When I use a PSTN dial-up connection from my laptop and then run the VPN client, I can connect to my PIX – no problem and also can access the internal network. But when I try to connect to the PIX using the same VPN client from behind another PIX (running version 6.3(4)) I can not connect, I get a ‘peer not responding message on the VPN client’.

Can someone please explain what I am missing here, or do I need to enable some command on the PIX which is running 6.2(1) code??

I have NAT-T enabled on my PIX with 6.3(4) code but can not find any references to NAT-T for PIX with 6.2(1) code!! – could this be the problem, if so is there any solutions?

PS. I am using VPN client version 4.0.1 (Rel)

I really need this up and running ASAP so any help will be much appreciated also, I can not upgrade the 515 to 6.3(4) as customer does not want to!!!

Many thanks for you assistance.

Re: PIX 515 running 6.2(1) code - help required.

gfullage — Tue, 16 Aug 2005 03:08:43 GMT

Sorry for the delay in responding.

For NAT-T to work properly you need to define it on the PIX that you're connecting to, which would be the one running 6.2(1). Unfortunately, as you've figured out, NAT-T was not supported in 6.2 code.

What you can do is allow the PIX you're going thru (the one running 6.3(4)) to properly open up holes for the ESP traffic, then you shouldn't need to change anything on the 6.2(1) PIX. The following command on the 6.3(4) PIX will do that for you:

fixup protocol esp-ike

Re: PIX 515 running 6.2(1) code - help required.

mehrdad — Tue, 16 Aug 2005 04:28:50 GMT

In this case we can have just one ESP connection through the 6.3(4) PIX at a time, does it true?

Re: PIX 515 running 6.2(1) code - help required.

OHITS-OPS — Tue, 16 Aug 2005 06:23:18 GMT

Glenn - many thanks for your response, when I tried to configure the fixup for esp-ike on the PIX that is running 6.3(4), I got the following message:

FW_1_UK(config)# fixup protocol esp-ike

PAT for ESP cannot be enabled since ISAKMP is enabled. Please correct your configuration

and re-issue the command!

I do have several site-to-site VPN tunnels terminating on this firewall, is there anything I could setup on the PIX that is running 6.2(1) or even the 6.3(4)??

Many thanks for your suggestions/help.

Re: PIX 515 running 6.2(1) code - help required.

mehrdad — Tue, 16 Aug 2005 06:34:40 GMT

"However, because ESP packets do not identify the ports that are involved, PAT is performed by assigning port 0 (zero). Only one ESP tunnel is supported at a time. Also, when the PIX Firewall has this feature enabled, it cannot terminate VPN tunnels in relation to other IPSec peers"

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.htm#wp1094669