Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco VPN client can't connect from behind PIX

I have two PIX firewalls that are setup identically but are running different versions of the PIX OS. The one running 6.2 allows PCs running the Cisco VPN client to connect to VPN servers outside of the PIX. The other is running 6.3 and does not allow PCs to connect. If my NAT and ACLs statements are basically the same (only real difference is the IPs used) what else can be causing this? How can I troubleshoot?



Cisco Employee

Re: Cisco VPN client can't connect from behind PIX

Try "fixup protocol esp-ike" on the one that doesn't work, although keep in mind this will only allow one internal client to establish a VPN outbound.

Are these two sets of users connecting to the same external server? If not, then it is more likely that the connection that is working is working over NAT-T, or some form of UDP/TCP encapsulation of the IPSec packets. Note the the PIX cannot properly NAT the IPSec packets that go through as they're not TCP or UDP based. NAT-T encapsualtes the IPSec packets between the client and server in UDP packets that can then be NAT'd correctly by the PIX.

Enabling NAT-T is a function of the client and server configuration though, nothing you can do about it on the PIX per se.

New Member

Re: Cisco VPN client can't connect from behind PIX

Is it possible for a non-cisco vpn client to connect thru a PIX 501?

I have the same issue but with Watchguard's MUVPN (Mobile User VPN).

Could this be fixed by a simple access-list?

Any help with this would be great!


Re: Cisco VPN client can't connect from behind PIX

I think MUVPN is an IPsec clientso it uses ESP and UDP 500 like the Cisco client. For NAT-T Cisco use TCP 10,000 and UDP 4500 - I don't know what MUVPN uses.

Try an ACL for debug to find the extra ports, something like:

access-list [inside ACL name] permit ip host [YOUR_IP] host [VPN_SERVER_IP] log

and watch the log for "106100" messages.