Showing results for 
Search instead for 
Did you mean: 
Cisco Community November 2020 Spotlight Award Winners

VPN Client users are unable to connect beyond the PIX firewall or ASA


Core issue

In PIX Firewall version 6.x, if the fixup protocol esp-ike command is enabled, users are allowed to work behind the firewall. The problem with this fix is that it breaks any tunnels that went to this firewall.

The fixup protocol esp-ike command enables Port Address Translation (PAT) for Encapsulating Security Payload (ESP) for a single tunnel.

Note: The fixup protocol esp-ike command is disabled by default.

If a fixup protocol esp-ike command is issued, the firewall preserves the source port of the Internet Key Exchange (IKE) and creates a PAT translation for ESP traffic. Additionally, in this case, the Internet Security Association and Key Management Protocol (ISAKMP) cannot be enabled on any interface.

The fixup protocol esp-ike command is not supported in PIX Firewall version 7.0 anymore, but NAT-T can be enabled instead.


In order to allow VPN clients to connect beyond the firewall, enable NAT-T on the PIX/ASA and use a VPN client that is NAT-T capable.

In order to enable NAT-T on PIX, issue the isakmp nat-traversal 20 command. Refer to these documents for more information on NAT-T configurations:

Content for Community-Ad