I have two PIX firewalls that are setup identically but are running different versions of the PIX OS. The one running 6.2 allows PCs running the Cisco VPN client to connect to VPN servers outside of the PIX. The other is running 6.3 and does not allow PCs to connect. If my NAT and ACLs statements are basically the same (only real difference is the IPs used) what else can be causing this? How can I troubleshoot?
Re: Cisco VPN client can't connect from behind PIX
Try "fixup protocol esp-ike" on the one that doesn't work, although keep in mind this will only allow one internal client to establish a VPN outbound.
Are these two sets of users connecting to the same external server? If not, then it is more likely that the connection that is working is working over NAT-T, or some form of UDP/TCP encapsulation of the IPSec packets. Note the the PIX cannot properly NAT the IPSec packets that go through as they're not TCP or UDP based. NAT-T encapsualtes the IPSec packets between the client and server in UDP packets that can then be NAT'd correctly by the PIX.
Enabling NAT-T is a function of the client and server configuration though, nothing you can do about it on the PIX per se.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...