https://community.cisco.com/t5/network-security/configuring-pix-525-client-behind-pix-using-secureremote/m-p/67588#M620359 <HTML><HEAD></HEAD><BODY><P>Yes, PAT is the problem. PAT and IPSec don't work well together, since PAT uses the TCP/UDP port number to differentiate between sessions, and IPSec is not a TCP/UDP protocol (it sits right on top of IP). The connection is established successfully because that is done with ISAKMP, which is a UDP protocol, so that can be PAT'd OK. The data is sent in IPSec packets, which can't be PAT'd.</P><P></P><P>You'll have to create a static one-to-one translation for the client and then it'll work fine. </P><P></P><P>Also, in PIX 6.3 code (not released yet), there is supposed to be support for IPSec thru PAT (IPSec passthru), so watch out for it.</P></BODY></HTML> Wed, 17 Jul 2002 02:19:36 GMT gfullage 2002-07-17T02:19:36Z https://community.cisco.com/t5/network-security/configuring-pix-525-client-behind-pix-using-secureremote/m-p/67587#M620358 <P>The Pix is using global PAT. IPsec-permit has been enabled. Ver 5.2.3</P><P></P><P>The client is in the dmz. When he iniates the connection he gets authenticated but no traffic will pass, ie. can't ping or use terminal services.</P><P></P><P>Outside the pix the client works. Is the use of PAT the problem? What is the solution?</P><P></P><P>Thanks,</P><P>Paul</P> Fri, 21 Feb 2020 06:09:27 GMT https://community.cisco.com/t5/network-security/configuring-pix-525-client-behind-pix-using-secureremote/m-p/67587#M620358 pbunchuk 2020-02-21T06:09:27Z https://community.cisco.com/t5/network-security/configuring-pix-525-client-behind-pix-using-secureremote/m-p/67588#M620359 <HTML><HEAD></HEAD><BODY><P>Yes, PAT is the problem. PAT and IPSec don't work well together, since PAT uses the TCP/UDP port number to differentiate between sessions, and IPSec is not a TCP/UDP protocol (it sits right on top of IP). The connection is established successfully because that is done with ISAKMP, which is a UDP protocol, so that can be PAT'd OK. The data is sent in IPSec packets, which can't be PAT'd.</P><P></P><P>You'll have to create a static one-to-one translation for the client and then it'll work fine. </P><P></P><P>Also, in PIX 6.3 code (not released yet), there is supposed to be support for IPSec thru PAT (IPSec passthru), so watch out for it.</P></BODY></HTML> Wed, 17 Jul 2002 02:19:36 GMT https://community.cisco.com/t5/network-security/configuring-pix-525-client-behind-pix-using-secureremote/m-p/67588#M620359 gfullage 2002-07-17T02:19:36Z