Cannoth establish UDP VPN connections from behind pix 501

Posted on 2005-05-15
Last Modified: 2008-03-17
My setup is as follows:
  Linksys router connected to Cable modem
   port 80 forwards to my web server
  vpn passthrough enabled
  default route for web server goes through Linksys router

PIX 501 behind Linksys
  All computer clients connected to the PIX.
Using Cisco VPN client 4.6.0049

  I can establish both UDP and TCP VPN connections from my web server through the Linksys
  I can establish TCP VPN connections from behind the PIX
  I CANNOT establish UDP VPN connections from behind the PIX.

Here is my config Thanks in advance!

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

Question by:pHOdAT
    LVL 79

    Accepted Solution

    Do you have the PIX outside IP as the DMZ host?
    What function is the Linksys providing beyond what the PIX itself can provide? I would say to take the Linksys completely out of the picture and try just putting the PIX on a public IP on the outside, forward port 80 to your web server and protect all clients this way.

    >isakmp nat-traversal 20
    That command already in your PIX is what enables use of UDP, so there is nothing wrong with your PIX config.

    Author Comment

    OK, I have removed the linksys totally and re cabled my network to go out the pix. I just shut down the web server for now just as a test. I am still having the same problem. I can VPN over TCP but cannot over UDP. Aaahhhh!

    Author Comment

    I believe I have found the answer from another one of your posts. I had to add fixup protocol esp-ike to my config and she worked like a charm. I am going to try and cable my network the way it was before to see if it will work.

    Author Comment

    after recabling my network using the Linksys as my internet gateway. All is still working. Looks like the fixup protocol command was the missing link. Thanks!
    LVL 79

    Expert Comment

    Good job!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
    Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now