Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2234
Views
0
Helpful
0
Comments

VPN Client users are unable to connect beyond the PIX firewall or ASA

TCC_2
Level 10
Level 10

on ‎06-22-2009 05:35 PM

Core issue

In PIX Firewall version 6.x, if the fixup protocol esp-ike command is enabled, users are allowed to work behind the firewall. The problem with this fix is that it breaks any tunnels that went to this firewall.

The fixup protocol esp-ike command enables Port Address Translation (PAT) for Encapsulating Security Payload (ESP) for a single tunnel.

Note: The fixup protocol esp-ike command is disabled by default.

If a fixup protocol esp-ike command is issued, the firewall preserves the source port of the Internet Key Exchange (IKE) and creates a PAT translation for ESP traffic. Additionally, in this case, the Internet Security Association and Key Management Protocol (ISAKMP) cannot be enabled on any interface.

The fixup protocol esp-ike command is not supported in PIX Firewall version 7.0 anymore, but NAT-T can be enabled instead.

Resolution

In order to allow VPN clients to connect beyond the firewall, enable NAT-T on the PIX/ASA and use a VPN client that is NAT-T capable.

In order to enable NAT-T on PIX, issue the isakmp nat-traversal 20 command. Refer to these documents for more information on NAT-T configurations:

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents