The IPSec VPN tunnel does not come up when there is a PIX 500 Series Firewall with software version 6.x in between the two peers with the fixup protocol esp-ike command configured

Document

Wed, 07/22/2009 - 19:37
Jun 18th, 2009
User Badges:
  • Gold, 750 points or more

Core issue


The fixup protocol esp-ike command enables Port Address Translation (PAT) for Encapsulating Security Payload (ESP), single tunnel.


The fixup protocol esp-ike command is disabled by default. If a fixup protocol esp-ike command is issued, the fixup is turned on, and the PIX Firewall preserves the source port of the Internet Key Exchange (IKE). It also creates a PAT translation for ESP traffic. Additionally, if the esp-ike fixup is on, Internet Security Association and Key Management Protocol (ISAKMP) cannot be enabled on any interface.


Resolution

In order to resolve the issue, disable the fixup protocol esp-ike command and make sure that there is static translation on the PIX for the VPN tunnel endpoint behind the PIX.


Problem Type

Troubleshoot software feature


Product Family

Firewall - PIX 500 series

Loading.

Actions

This Document

Related Content