Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
0
Helpful
4
Replies

PIX 515 running 6.2(1) code - help required.

OHITS-OPS
Level 1
Level 1

‎08-12-2005 07:50 AM - edited ‎02-21-2020 12:19 AM

I have setup VPN client access to my PIX 515 running version 6.2 (1), now my problem is as follows:

When I use a PSTN dial-up connection from my laptop and then run the VPN client, I can connect to my PIX – no problem and also can access the internal network. But when I try to connect to the PIX using the same VPN client from behind another PIX (running version 6.3(4)) I can not connect, I get a ‘peer not responding message on the VPN client’.

Can someone please explain what I am missing here, or do I need to enable some command on the PIX which is running 6.2(1) code??

I have NAT-T enabled on my PIX with 6.3(4) code but can not find any references to NAT-T for PIX with 6.2(1) code!! – could this be the problem, if so is there any solutions?

PS. I am using VPN client version 4.0.1 (Rel)

I really need this up and running ASAP so any help will be much appreciated also, I can not upgrade the 515 to 6.3(4) as customer does not want to!!!

Many thanks for you assistance.

0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎08-15-2005 08:08 PM

Sorry for the delay in responding.

For NAT-T to work properly you need to define it on the PIX that you're connecting to, which would be the one running 6.2(1). Unfortunately, as you've figured out, NAT-T was not supported in 6.2 code.

What you can do is allow the PIX you're going thru (the one running 6.3(4)) to properly open up holes for the ESP traffic, then you shouldn't need to change anything on the 6.2(1) PIX. The following command on the 6.3(4) PIX will do that for you:

fixup protocol esp-ike

0 Helpful

mehrdad
Level 3
Level 3
In response to gfullage

‎08-15-2005 09:28 PM

In this case we can have just one ESP connection through the 6.3(4) PIX at a time, does it true?

0 Helpful

OHITS-OPS
Level 1
Level 1
In response to gfullage

‎08-15-2005 11:23 PM

Glenn - many thanks for your response, when I tried to configure the fixup for esp-ike on the PIX that is running 6.3(4), I got the following message:

FW_1_UK(config)# fixup protocol esp-ike

PAT for ESP cannot be enabled since ISAKMP is enabled. Please correct your configuration

and re-issue the command!

I do have several site-to-site VPN tunnels terminating on this firewall, is there anything I could setup on the PIX that is running 6.2(1) or even the 6.3(4)??

Many thanks for your suggestions/help.

0 Helpful

mehrdad
Level 3
Level 3
In response to OHITS-OPS

‎08-15-2005 11:34 PM

"However, because ESP packets do not identify the ports that are involved, PAT is performed by assigning port 0 (zero). Only one ESP tunnel is supported at a time. Also, when the PIX Firewall has this feature enabled, it cannot terminate VPN tunnels in relation to other IPSec peers"

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.htm#wp1094669

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card