Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring PIX 525 - client behind Pix using SecureRemote

The Pix is using global PAT. IPsec-permit has been enabled. Ver 5.2.3

The client is in the dmz. When he iniates the connection he gets authenticated but no traffic will pass, ie. can't ping or use terminal services.

Outside the pix the client works. Is the use of PAT the problem? What is the solution?



Cisco Employee

Re: Configuring PIX 525 - client behind Pix using SecureRemote

Yes, PAT is the problem. PAT and IPSec don't work well together, since PAT uses the TCP/UDP port number to differentiate between sessions, and IPSec is not a TCP/UDP protocol (it sits right on top of IP). The connection is established successfully because that is done with ISAKMP, which is a UDP protocol, so that can be PAT'd OK. The data is sent in IPSec packets, which can't be PAT'd.

You'll have to create a static one-to-one translation for the client and then it'll work fine.

Also, in PIX 6.3 code (not released yet), there is supposed to be support for IPSec thru PAT (IPSec passthru), so watch out for it.

CreatePlease login to create content