Re: Cisco VPN Client through PIX

maik.behley · ‎03-20-2003

Hello,

my problem is the following configuration:

VPN Client(Software) --> PIX --> Internet --> PIX (Tunnel Endpoint)

The VPN Client cannot connect to the second PIX over the Internet. What must i configure on the first PIX to pass the ipsec traffic to the client. Normally i think this the Port 500/udp.

In the following configuration the PIX VPN Client is functional:

VPN Client(Software) --> Router --> Internet --> PIX (Tunnel Endpoint)

On the router i have configured a static nat/pat entry and incoming internet traffic is allowed to port 500/udp.

What is failure i have make?

Thanks for your solutions!!!

afakhan · ‎03-20-2003

Hi,

On the pass-thru PIX, you need to configure NAT(static) for the vpn client machine, and then permit "UDP 500" and ESP traffic inbound on the ACL applied to the outside interface on the pix.

PIX 6.3 is coming with IPSec/UDP feature, then you can connect one client behind PIX w/o static NAT (PIX with PAT). Its due end of march.

Thanks,

Afaq

tvorhauer · ‎03-30-2003

Does anyone have a sample config to allow IPSec pass thru on the PIX? I have just upgraded to PIX OS 6.3 and would like to allow my internal VPN client to build a tunnel to a remote PIX.

Remote PIX-----------Internet--------------Home PIX---------VPN Client

Thanks

gfullage · ‎03-30-2003

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.htm#1094669

Use the "fixup protocol esp-ike" command. Only one tunnel is supported at one time, also you can't terminate VPN's on this PIX after enabling this command.