06-27-2006 07:09 PM - edited 02-21-2020 02:30 PM
I have two PIX firewalls that are setup identically but are running different versions of the PIX OS. The one running 6.2 allows PCs running the Cisco VPN client to connect to VPN servers outside of the PIX. The other is running 6.3 and does not allow PCs to connect. If my NAT and ACLs statements are basically the same (only real difference is the IPs used) what else can be causing this? How can I troubleshoot?
Thanks,
Diego
06-27-2006 09:34 PM
Try "fixup protocol esp-ike" on the one that doesn't work, although keep in mind this will only allow one internal client to establish a VPN outbound.
Are these two sets of users connecting to the same external server? If not, then it is more likely that the connection that is working is working over NAT-T, or some form of UDP/TCP encapsulation of the IPSec packets. Note the the PIX cannot properly NAT the IPSec packets that go through as they're not TCP or UDP based. NAT-T encapsualtes the IPSec packets between the client and server in UDP packets that can then be NAT'd correctly by the PIX.
Enabling NAT-T is a function of the client and server configuration though, nothing you can do about it on the PIX per se.
07-03-2006 09:07 AM
Is it possible for a non-cisco vpn client to connect thru a PIX 501?
I have the same issue but with Watchguard's MUVPN (Mobile User VPN).
Could this be fixed by a simple access-list?
Any help with this would be great!
Thanks
07-03-2006 12:54 PM
I think MUVPN is an IPsec clientso it uses ESP and UDP 500 like the Cisco client. For NAT-T Cisco use TCP 10,000 and UDP 4500 - I don't know what MUVPN uses.
Try an ACL for debug to find the extra ports, something like:
access-list [inside ACL name] permit ip host [YOUR_IP] host [VPN_SERVER_IP] log
and watch the log for "106100" messages.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide