• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 327
  • Last Modified:

Allow CheckPoint SecureClient connection though PIX 501

What are the exact configuration changes necessary to allow a Check Point SecureClient to connect to a VPN while behind a PIX 501? Or before the question can be answered what info do I need.
SecureClient gives me 2 NAT traversal mechanisms
1) Support IKE over TCP
2) Force UDP Encapsulation

Pix Version 6.3(1)
PDM Version 3.0(1)
Inside Interface 139.126.X.X
Outside Interface PPPoE (66.220.x.x)
  • 2
1 Solution
1) upgrade PIX to 6.3(3) to enable nat-traversal
2) use the command "isakmp nat-traversal 20"
3) set client to force UDP encap (requires configuration on the Check Point end to allow this)

Alternative to upgrading:
1) Create a static 1-1 nat map using a spare public IP
2) set client for either TCP or UDP (depending on how the Check Point end is set up)
awgoochAuthor Commented:
Can you tell me more about the static 1-1 nat map using a spare puplic IP?
If you have another public IP that you can use besides the interface, you can do this:

static (inside,outside) <public IP> <private ip> netmask


static (inside,outside) netmask
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now