Re: PIX 501 Blocks VPN traffic?

kitch · ‎10-25-2002

Hello,

When I try to use my VPN Client to conect my office from a LAN (in this case a Hotel) that uses a PIX 501as their firewall it doesn't work at all (peer not responding although Internet access does work).

If I connect directly to the hotel's ADSL router Vpn works great.

Seems that the hotel's pix blocks vpn traffic, what should I change at their Pix config to allow guests use their laptop's vpn clients?

Thanks in Advance.

jlimbo · ‎10-25-2002

You are probably running into a IPSEC through NAT issue where the PIX is doing the nating. Are you terminating to a vpn concentrator? If so, you can do tcp over ipsec/nat transperancy etc, to get over these issues. If you are using a router or pix to terminate your vpn clients then you should just use the ADSL connection for now as they do not have those features yet.

jshillow · ‎10-28-2002

I am running into the same issue with a SOHO. I cannot pass traffic through to a VPN Concentrator (Nortel Contivity 1000). Could you please tell me, or point me to a tech note that explains ipsec/nat transparency. Your help is greatly appreciated.

Thanks,

Jim

shamilton-wilkes · ‎10-26-2002

The PIX doesn't yet support IPSEC passthrough, unlike cheaper products from Linksys et al. I understand it is something being addressed for a future version of software. As the above message says, there is a work-around if you are using a VPN con centrator, but if your are doing standards based IPSEC to a router or to another manufacturers box (Contivity) then you are stuck for the moment.

kitch · ‎10-28-2002

Thanks for your answers,

In my case we use a router as the terminating device. I understand that succesfully connecting depends on each guest´s terminating device.

If they use a VPN concentrator it could be solved configuring this device.

If they use a router/firewall a new Pix software release is needed.

Thanks again.