Problems with Cisco VPN Client though a PIX Firewall.

Unanswered Question
Oct 8th, 2007


I have a PC on my LAN which I sometimes use to establish a VPN tunnel with a remote network via Cisco VPN Client. I use a Cisco router as my gateway router via broadband to gain access to the Internet and employ PAT for address translation. I upgraded the IOS to 12.2(15)T16 to support NAT Transparency, I was able to establish the tunnel with this configuration.

I recently aquired a Cisco 506E PIX Firewall (Version 6.3(4)) to aid in my CCSP studies and integrated it into my network infrastructure. I inserted the PIX in-between my router and cable modem and offloaded the PAT from the router to the PIX. I setup the firewall with a basic configuration and I was able to access the Internet perfectly but I could not establish the VPN tunnel via the Cisco VPN Client. Other than removing the PAT commands on the router, it's configuration remained the same. I tried several configurations including enabling ISAKMP on both interfaces and activating ISAKMP NAT-Traversal but none worked. I finally was able to get the tunnel to establish by issueing the following command: fixup protocol esp-ike, and creating an inbound ACL on the outside interface allowing ESP from the remote system in.

My question is, is there a better way to do this without using the inbound access-list on the outside interface. Doesn't the PIX have a built-in NAT-Transparency system like the routers? Here is a sanatized version of the PIX configuration.

Thank you for your time!

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 10full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

fixup protocol dns maximum-length 512

fixup protocol esp-ike

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list TEST permit ip any

access-list TEST permit esp any

access-list VPN_CLIENT permit esp host any

pager lines 24

logging on

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

access-group VPN_CLIENT in interface outside

access-group TEST in interface inside

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Tue, 10/09/2007 - 17:34

It's not clear in your post what the device is you are peering to. That device is what should have nat-t enabled. The fact you had to enable fixup esp-ike means nat-t was not working.

Also, you should be able to remove "access-list VPN_CLIENT permit esp host any" and apply "sysopt connection permit-ipsec".

lrm001c474 Sat, 10/20/2007 - 06:38

Thank you for the responce.

When I remove the outside interface's ACL and apply "sysopt connection permit-ipsec", the connection fails.

Included is some of the log file with ISAKMP debugging on:

302015: Built outbound UDP connection 25163 for outside: ( to inside: (

305011: Built dynamic UDP translation from inside: to outside:

305011: Built dynamic UDP translation from inside: to outside:

302015: Built outbound UDP connection 25165 for outside: ( to inside: (

106010: Deny inbound protocol 50 src outside: dst inside:

106010: Deny inbound protocol 50 src outside: dst inside:

106010: Deny inbound protocol 50 src outside: dst inside:

106010: Deny inbound protocol 50 src outside: dst inside:

106010: Deny inbound protocol 50 src outside: dst inside:

305012: Teardown dynamic UDP translation from inside: to outside: duration 0:00:31

305011: Built dynamic UDP translation from inside: to outside:

For reference: - PC with VPN Client - PIX Outside Address - Remote Concentrator

The remote concentrator has NAT-T enable but I do not have access to it.

Before I implemented the PIX, my router with NAT-T support worked fine without any special configuration.

Thank you.

lrm001c474 Sat, 10/20/2007 - 10:59

Unfourtunatly, I do not have access to the remote concentrator. I have only been notified that it should work with NAT-T, IPSEC over TCP/UDP is not configured.

This configuration worked earlier with a router with a NAT-T enabled IOS so it must be a configuration parameter with the PIX.

Thanks again for the replies.

lrm001c474 Sun, 10/28/2007 - 17:58

No ideas...

This is a strange problem; looking at the debug I listed above, it shows it is denying inbound protocol 50(ESP) which makes sense since the VPN client operates correctly once I put an inbound ACL on the outside interface permitting ESP.

Now it can't use statful inspection since there is no initiating ESP traffic on the inbound interface.

Does this sound correct? Maybe I have no choice but to keep the inbound ACL in place on the inbound interface.

Is ESP stateful?


This Discussion