- Gold, 750 points or more
The fixup protocol esp-ike command enables Port Address Translation (PAT) for Encapsulating Security Payload (ESP), single tunnel.
The fixup protocol esp-ike command is disabled by default. If a fixup protocol esp-ike command is issued, the fixup is turned on, and the PIX Firewall preserves the source port of the Internet Key Exchange (IKE). It also creates a PAT translation for ESP traffic. Additionally, if the esp-ike fixup is on, Internet Security Association and Key Management Protocol (ISAKMP) cannot be enabled on any interface.
In order to resolve the issue, disable the fixup protocol esp-ike command and make sure that there is static translation on the PIX for the VPN tunnel endpoint behind the PIX.
Troubleshoot software feature
Firewall - PIX 500 series