Showing results for 
Search instead for 
Did you mean: 

Symantec VPN Client through a PIX 501 issue


I have a client that has a PIX 501 with 6.3. We have the usual "isakmp nat-transversal 20" and the "sysopt connect permit-ipsec". However, we can not get the Symantec VPN Client to pass it's isakmp information properly. The Symantec client works fine from other locations without a PIX. I have followed Symantec's recommendations regarding NAT Transversal and it still will not work.

Does anyone have experience with this client passing through a PIX? Is there something else I should be doing/checking on the PIX?


4 Replies 4


The flip side to the nat-traversal feature is that it only works if you are not also terminating ipsec on the pix. If you have an address that you can use besided the outside interface address for the client, you can have them use that and it will work.

Can you elaborate a little more? I am a little confused by which outside interface address you are talking about - the Pix or the Symantec VPN host?

If you are talking about the PIX, do you mean assign another IP address to the outside interface? Is there anything special I would need to do to "make" the Symantec client use the new IP on the outside interface?

Thank you for taking the time to respond... I have been pulling my hair out on this one for several days now.

- Dale

Here is what I do:

object-group protocol no-pat-protocols

description This is a list of protocols that will invoke the global 99

protocol-object esp

protocol-object gre

object-group network no-pat-nets

description This is a list of networks or hosts which are permitted to use the global 99 range for VPN pass-thru

network-object 10.1.X.0

access-list no-pat extended permit object-group no-pat-protocols object-group no-pat-nets any

access-list no-pat extended permit udp object-group no-pat-nets any eq isakmp

global (outside) 99 70.x.x.120-70.x.x.126 netmask

global (outside) 100 70.x.x.110

nat (inside) 0 access-list no-nat

nat (inside) 99 access-list no-pat

nat (inside) 100

What this does is creates a policy nat which will allow vpn client users to grab an ip from the global 99 pool so that they will have an ip all to themselves while running a VPN client through and from behind the firewall.

Another option that I was suggesting initially for you is to simply create a static like so:

static(inside,outside) somePublicIP, VPNclientPCiP net

then you would need to permit isakmp in for this ip like so:

access-list someAcl permit udp any host somePublicIP eq 500

access-list someAcl permit gre any host somePublicIP

Then attach that to your outside interface. The reason, btw, that nat traversal doesn't work when you are using the pix as an ipsec endpoint is that you are already using up udp 500 on the outside interface of the pix. So if you pat on that address, isakmp won't go anywhere else but to the running process on the pix.

HTH pls rate!



I believe that you need to update the access-list on the outside to allow isakmp and AH or ESP in.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers