04-04-2003 12:36 PM - edited 02-21-2020 12:27 PM
I have a customer with a PIX 501 who would like to setup IPSEC tunnels using the VPN 3000 client. Because this customer may be establishing these tunnels from behind a firewall at remote sites he would like to us IPSEC over TCP. Will the PIX 501 support this and do you have any sample configurations for this?
04-04-2003 07:02 PM
Hi,
PIX doesn't support ipsec/tcp (only vpn3000), so best bet for you is to download pix OS V6.3.1, and use a windows vpn client V3.6 (or later) to negotiate NAT-T (IPsec /udp on UDP 4500).
Other than the regular config on the pix for client connections, you would need isakmp nat-t
line.
Thx
Afaq
04-14-2003 02:31 PM
Which PIX do I add the isakmp nat-t line to, the PIX that is terminating the tunnel or the PIX in the middle that the client is behind?
04-14-2003 02:48 PM
Add:
> isakmp nat-traversal
to the PIX that is terminating the tunnel. It and the client will automatically detect that there's a NAT device in between them and will encapsulate everything in UDP 4500 packets.
04-14-2003 08:20 PM
any configuration needed for the PIX in the middle?
04-16-2003 04:32 PM
Nothing special, just the NAT config that is already on there so that packets pass thru it properly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide