10-17-2008 11:39 AM - edited 02-21-2020 03:59 PM
I am a novice/new cisco user. I have been struggling trying to configure a Cisco Pix 501 to allow passthrough of VPN traffic. I have reviewed many articles and posts but have not had success in putting the proper configuration together. I am running a Symantec VPN client to a Symantec Security Gateway. The VPN works fine when the PIX is out of the configuration.
The Pix is version 6.3 and I also have PDM 3.0 working. I am new to the routing world. I understand most concepts but I seem to be missing a vital piece of information. The error on the symantec VPN client is as follows. Error connecting tunnel to xxx.xxx.xxx.xxx. The server rejected the ISAKMP Security association. Make sure the Phase1 ID's, shared key and IKE policy are correct.
Thank you for your assistance.
10-17-2008 12:12 PM
Add following command to Pix:
fixup protocol esp-ike
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml
10-17-2008 12:59 PM
Thank you for the quick response. However applying the one fixup command did not help the situation.
10-19-2008 11:33 AM
Hello Tom,
I dont know if it works in 6x IOS but here is another inspection
fixup protocol ipsec-pass-thru
Also make sure that you did a one-to-one static mapping (conduits used in legacy IOS) for an unused public IP of yours because you can not PAT gre or esp to an internal host. And you may also need an outside acl
access-list outside_access_in permit gre xxx
access-list outside_access_in permit ipsec xx
access-list outside_access_in permit esp xxx
access-list outside_access_in permit ah xxx
Regards
10-23-2008 01:52 PM
Thank you for your replies. I can not still get it to function. We will be replacing this configuration soon with new equipment. I will then have better tech support onsite. I will also be taking classes.
Thank you.
10-23-2008 07:11 PM
Tom,
Are there any access-list on the Pix applied inbound. If so, after you configured the Pix 501 with "fixup protocol esp-ike" command, did you permit ESP in the access-list. I have seen some configuration were the esp-ike works only when there is an inbound ACL that permits ESP.
Example:
access-list INBOUND permit esp any any
Regards,
Arul
*Pls rate if it helps*
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: