Hi .. because your device is behind the PIX then you need to use NAT-T ( nat traversal ) to allow Ipsec over UDP to traverse the PIX. Depending on the client your are using you will have to allow whatever ports are used for the encapsulation. for example Cisco VPN client uses UDP 4500 or TCP 10000 by default. An so in the case of cisco vpn client you only need to allow UDP 4500 or TCP 10000 on the access-list applied to the Inside and Outside interfaces. i.e
access-list Outside-In permit udp any host netmask 255.255.255.255 eq 4500
access-list Outside-In permit tcp any host netmask 255.255.255.255 eq 10000
access-group Outside-In in interface outside
access-list Inside-Out permit udp host any eq 4500
access-list Inside-Out permit tcp host any eq 10000
Hi .. because your device is behind a PIX which does nat you need to use NAT-T ( Ipsec over UDP/TCP). If you have already a one to one static using the only public IP address available, then your only option is to use port forwading if it applies to your set up.
with port forwarding you can use one Public IP address and then redirect the traffic to inside devices as long as the ports are different .. in other words you can use the same public IP and redirect traffic on ports 80, 443,500,25 etc .. to 4 different servers .. again as long as the ports are different then this would be your only option if you can't get anotehr public IP.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...