VPN Client users are unable to connect beyond the PIX firewall or ASA

Document

Wed, 07/22/2009 - 19:52
Jun 22nd, 2009
User Badges:
  • Gold, 750 points or more

Core issue

In PIX Firewall version 6.x, if the fixup protocol esp-ike command is enabled, users are allowed to work behind the firewall. The problem with this fix is that it breaks any tunnels that went to this firewall.

The fixup protocol esp-ike command enables Port Address Translation (PAT) for Encapsulating Security Payload (ESP) for a single tunnel.

Note: The fixup protocol esp-ike command is disabled by default.

If a fixup protocol esp-ike command is issued, the firewall preserves the source port of the Internet Key Exchange (IKE) and creates a PAT translation for ESP traffic. Additionally, in this case, the Internet Security Association and Key Management Protocol (ISAKMP) cannot be enabled on any interface.

The fixup protocol esp-ike command is not supported in PIX Firewall version 7.0 anymore, but NAT-T can be enabled instead.


Resolution

In order to allow VPN clients to connect beyond the firewall, enable NAT-T on the PIX/ASA and use a VPN client that is NAT-T capable.

In order to enable NAT-T on PIX, issue the isakmp nat-traversal 20 command. Refer to these documents for more information on NAT-T configurations:

Loading.

Actions

This Document

Related Content