cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1298
Views
0
Helpful
3
Replies

Cisco VPN Client through PIX

maik.behley
Level 1
Level 1

Hello,

my problem is the following configuration:

VPN Client(Software) --> PIX --> Internet --> PIX (Tunnel Endpoint)

The VPN Client cannot connect to the second PIX over the Internet. What must i configure on the first PIX to pass the ipsec traffic to the client. Normally i think this the Port 500/udp.

In the following configuration the PIX VPN Client is functional:

VPN Client(Software) --> Router --> Internet --> PIX (Tunnel Endpoint)

On the router i have configured a static nat/pat entry and incoming internet traffic is allowed to port 500/udp.

What is failure i have make?

Thanks for your solutions!!!

3 Replies 3

afakhan
Level 4
Level 4

Hi,

On the pass-thru PIX, you need to configure NAT(static) for the vpn client machine, and then permit "UDP 500" and ESP traffic inbound on the ACL applied to the outside interface on the pix.

PIX 6.3 is coming with IPSec/UDP feature, then you can connect one client behind PIX w/o static NAT (PIX with PAT). Its due end of march.

Thanks,

Afaq

Does anyone have a sample config to allow IPSec pass thru on the PIX? I have just upgraded to PIX OS 6.3 and would like to allow my internal VPN client to build a tunnel to a remote PIX.

Remote PIX-----------Internet--------------Home PIX---------VPN Client

Thanks

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.htm#1094669

Use the "fixup protocol esp-ike" command. Only one tunnel is supported at one time, also you can't terminate VPN's on this PIX after enabling this command.

Review Cisco Networking for a $25 gift card