cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
922
Views
0
Helpful
5
Replies

Pix 501 VPN Passthrough

dktthiemer
Level 1
Level 1

I am a novice/new cisco user. I have been struggling trying to configure a Cisco Pix 501 to allow passthrough of VPN traffic. I have reviewed many articles and posts but have not had success in putting the proper configuration together. I am running a Symantec VPN client to a Symantec Security Gateway. The VPN works fine when the PIX is out of the configuration.

The Pix is version 6.3 and I also have PDM 3.0 working. I am new to the routing world. I understand most concepts but I seem to be missing a vital piece of information. The error on the symantec VPN client is as follows. Error connecting tunnel to xxx.xxx.xxx.xxx. The server rejected the ISAKMP Security association. Make sure the Phase1 ID's, shared key and IKE policy are correct.

Thank you for your assistance.

5 Replies 5

singhsaju
Level 4
Level 4

Thank you for the quick response. However applying the one fixup command did not help the situation.

Hello Tom,

I dont know if it works in 6x IOS but here is another inspection

fixup protocol ipsec-pass-thru

Also make sure that you did a one-to-one static mapping (conduits used in legacy IOS) for an unused public IP of yours because you can not PAT gre or esp to an internal host. And you may also need an outside acl

access-list outside_access_in permit gre xxx

access-list outside_access_in permit ipsec xx

access-list outside_access_in permit esp xxx

access-list outside_access_in permit ah xxx

Regards

Thank you for your replies. I can not still get it to function. We will be replacing this configuration soon with new equipment. I will then have better tech support onsite. I will also be taking classes.

Thank you.

Tom,

Are there any access-list on the Pix applied inbound. If so, after you configured the Pix 501 with "fixup protocol esp-ike" command, did you permit ESP in the access-list. I have seen some configuration were the esp-ike works only when there is an inbound ACL that permits ESP.

Example:

access-list INBOUND permit esp any any

Regards,

Arul

*Pls rate if it helps*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: