Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
867
Views
0
Helpful
1
Replies

Configuring PIX 525 - client behind Pix using SecureRemote

pbunchuk
Level 1
Level 1

‎07-11-2002 06:20 AM - edited ‎02-20-2020 10:09 PM

The Pix is using global PAT. IPsec-permit has been enabled. Ver 5.2.3

The client is in the dmz. When he iniates the connection he gets authenticated but no traffic will pass, ie. can't ping or use terminal services.

Outside the pix the client works. Is the use of PAT the problem? What is the solution?

Thanks,

Paul

0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎07-16-2002 07:19 PM

Yes, PAT is the problem. PAT and IPSec don't work well together, since PAT uses the TCP/UDP port number to differentiate between sessions, and IPSec is not a TCP/UDP protocol (it sits right on top of IP). The connection is established successfully because that is done with ISAKMP, which is a UDP protocol, so that can be PAT'd OK. The data is sent in IPSec packets, which can't be PAT'd.

You'll have to create a static one-to-one translation for the client and then it'll work fine.

Also, in PIX 6.3 code (not released yet), there is supposed to be support for IPSec thru PAT (IPSec passthru), so watch out for it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card