Solved

Pass Client to Site IPSec VPN Tunnell Through Pix 6.3x

Posted on 2006-10-26
5
705 Views
Last Modified: 2013-11-16
I am trying to allow a client to site VPN tunnell through a PIX Firewall (version 6.3x).  Can anyone shed any light?
0
Comment
Question by:jhartlov
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 375 total points
ID: 17814804
Depends. What client are they using?
Do you have your own VPN configuration for external users to VPN in, or have a site-site VPN tunnel?

2 things to try:
 isakmp nat-traversal 20  <== other end must be setup to allow allow clients to use nat-traversal
 fixup protocol ike-esp <== can't use this if you also have VPN's on your PIX

Else, give this client a 1-1 static nat if you have enough public IP addresses.
0
 
LVL 1

Author Comment

by:jhartlov
ID: 17814827
I am using this to terminate site to site tunnels as well as to terminate client to site tunnels.  Not looking good?
0
 
LVL 1

Author Comment

by:jhartlov
ID: 17814872
Would it be easier if I were to upgrade this box to PIX v7?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17815186
7.0 does not provide any advantage in this regard.
What client software are they using? A 1-1 static nat will fix the issue..
0
 
LVL 1

Author Comment

by:jhartlov
ID: 17815983
isakmp nat-traversal on the other end did the trick!  Thanks!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now