We have up to 25 PC's with Cisco VPN client loaded connecting to our PIX 506 v6.3 authenticating against Windows 2003 Active Directory (as Radius). We also have a site-to-site VPN between our PIX and a Cisco 3000 vpn concentrator using pre-shared key authentication. The dynamic vpn configuration (VPN clients) was added to the existing site-to-site configuration. Both the site-to-site and dynamic (client) vpn connections work fine; however, when I turn on NAT traversal to allow clients (PC's) to connect to the PIX when sitting behind home NAT firewalls, the site-to-site vpn connection breaks.
I tried issuing the "fixup protocol esp-ike" command but get an error message that I have isakmp policies enabled. I tried opening up port 4500 on the outside interface with an access list. This did not fix the problem either.
So how do I turn on NAT Traversal for the vpn clients and still have the site-to-site vpn work?