Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
280
Views
0
Helpful
3
Replies

VPN Client through PIX 501

dwissehr
Level 1
Level 1

‎04-25-2005 12:25 PM - edited ‎02-21-2020 01:44 PM

I am using Cisco VPN Client 4.6 to establish an IPSec tunnel w/ a PIX 501. The client is also behind a PIX 501. I can establish the tunnel, but I can't do anything after that. I can't ping any hosts or the gateway at the remote site. When I move the client from behind the PIX, to a Symantec firewall, The VPN works like a champ. Does anyone have any words of wisdom? Thanx for any help!

Dave

Labels:
0 Helpful
3 Replies 3

Patrick Iseli
Level 7
Level 7

‎04-25-2005 05:55 PM

isakmp nat-traversal 20

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.

To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.

See: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

sincerely

Patrick

0 Helpful

dwissehr
Level 1
Level 1
In response to Patrick Iseli

‎04-26-2005 06:02 AM

Thank you, I will try that. What about configuring IPSec to use tcp instead of udp. That option is available in the client, but it doesn't work. Thanx again.

Dave

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to dwissehr

‎04-26-2005 04:30 PM

The TCP option on port 10000 does just exists on VPN Concentrators 3xxx and is not supported on the PIX.

sincerely

Patrick

0 Helpful
Customers Also Viewed These Support Documents