2.) Try : fixup protocol esp-ike on the home PIX 501.

2.) Could be a NAT Traversal issue.

Note that NAT Traversal is configured on the VPN Server not at home.

isakmp nat-traversal 20

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.

To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.

See: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

sincerely

Patrick

I have exactly the same problem with my pix501. fixup esp-ike is on. nat traversal is on my pix, I will check to see if it is on the company's ASA. But, the interesting thing is - I also have Motorola router/firewall at home where I can just put a check mark in IPSEC VPN passthrough and same PC with Cisco VPN client works fine: terminates the VPN tunnel and I can ping and access everything on company LAN. PIX501 is on 6.3(5).

I just modified my Cisco VPN client to use IPSEC over UDP and now everything is working.

Thanks for your reply. My client is already set to use UDP

I have stripped out nearly all ACLs. I am not using Split Tunnel.!!

Hello,

Can you post the contents of the log window from the VPN client?

If the client connects fully and transmits traffic across the tunnel but no traffic flows back from the far end of the tunnel then it would be a config problem at the remote end.

Check the status, statistics window, that will show if traffic is flowing in both directions.

HTH.

Hi Andy

There is no traffic flowing back. The statistics show lots of traffic sent by none received. I know you say that the problem could at the remote end (ie: Office LAN)but the strange thing is that the VPN client works from pretty much anywhere else I go except home.

Hello,

In that case it could be the PIX blocking the return traffic. Do you have any inspection groups set on the PIX?

If you do not already have the following commands can you add them please and then try again.

same-security-traffic permit inter-interface

sysopt connection permit-ipsec

They will allow inter-interface traffic and mark all ipsec traffic as trusted. This allows it to bypass any access-lists and be dealt with by the crypto engine. If it doesn't match it is dropped.

HTH.

Hi Andy

Tried adding the above commands. The "same-security-traffic permit inter-interface" command wasn't accepted.

The sysopt command was accepted but still get no traffic received