Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Pix 501 VPN Passthrough

Unanswered Question
Oct 17th, 2008
User Badges:

I am a novice/new cisco user. I have been struggling trying to configure a Cisco Pix 501 to allow passthrough of VPN traffic. I have reviewed many articles and posts but have not had success in putting the proper configuration together. I am running a Symantec VPN client to a Symantec Security Gateway. The VPN works fine when the PIX is out of the configuration.

The Pix is version 6.3 and I also have PDM 3.0 working. I am new to the routing world. I understand most concepts but I seem to be missing a vital piece of information. The error on the symantec VPN client is as follows. Error connecting tunnel to xxx.xxx.xxx.xxx. The server rejected the ISAKMP Security association. Make sure the Phase1 ID's, shared key and IKE policy are correct.

Thank you for your assistance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dktthiemer Fri, 10/17/2008 - 12:59
User Badges:

Thank you for the quick response. However applying the one fixup command did not help the situation.

husycisco Sun, 10/19/2008 - 11:33
User Badges:
  • Gold, 750 points or more

Hello Tom,

I dont know if it works in 6x IOS but here is another inspection

fixup protocol ipsec-pass-thru

Also make sure that you did a one-to-one static mapping (conduits used in legacy IOS) for an unused public IP of yours because you can not PAT gre or esp to an internal host. And you may also need an outside acl

access-list outside_access_in permit gre xxx

access-list outside_access_in permit ipsec xx

access-list outside_access_in permit esp xxx

access-list outside_access_in permit ah xxx


dktthiemer Thu, 10/23/2008 - 13:52
User Badges:

Thank you for your replies. I can not still get it to function. We will be replacing this configuration soon with new equipment. I will then have better tech support onsite. I will also be taking classes.

Thank you.

ajagadee Thu, 10/23/2008 - 19:11
User Badges:
  • Cisco Employee,


Are there any access-list on the Pix applied inbound. If so, after you configured the Pix 501 with "fixup protocol esp-ike" command, did you permit ESP in the access-list. I have seen some configuration were the esp-ike works only when there is an inbound ACL that permits ESP.


access-list INBOUND permit esp any any



*Pls rate if it helps*


This Discussion