Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Configuring VPN pass through in PIX 501

Need to configure the following:

PC with VPN client 3.5.2 --- PIX 501 (v 6.2) --- Internet --- VPN Concentrator 3000 - Company network

External interface of PIX has only 1 PPPoE address assigned by ISP.

Problem is that after tunnel is up, there is no traffic inbound from the company network.

This config works if I substitute the PIX with a Dlink 804V router. The difference is a line in the VPN client log:

22 10:10:45.820 06/22/03 Sev=Info/4 IPSEC/0x63700019

Activate outbound key with SPI=0xf7b90d23 for inbound key with SPI=0x51bb9760

The above line is missing in the PIX case.

I've setup NAT for the PIX and sysopt connection permit-ipsec

What could be the problem?

Is there any article showing how to setup pass through VPN access through a PIX 501?


Re: Configuring VPN pass through in PIX 501

Do you control the vpn 3000? I would enable the encapsulation through UDP feature - it works great behind all kinds of NAT devices that may or may not have some IPSec awareness that can get in the way. It is enabled by default on the cisco client software. I got similar behaviour to you when I disabled the use of this feature on my client when connecting with it from behind my 501 to my 3000 at work - an inbound tunnel works, but outbund does not. I don't think fixup protocol esp-ike works on pixen doing PAT, so that probably isn't an option.

New Member

Re: Configuring VPN pass through in PIX 501


I don't control the VPN3k. However, I was told that transparent tunneling is enabled on UDP( and that's what it was at the client options). I am able to get the VPN tunnel to talk properly using the following PIX configuration, but only the designated can access Internet and VPN now, the other machines in the LAN can't do anything until I remove the static statement.

I read that in PIX 6.2 there is a limitation of 1 traversal VPN through the PIX but that's all I need. So, what can I do to allow the other PCs access Internet while I VPN back to work?



PIX configuration:

access-list to_outside permit ip any

access-list to_outside permit icmp any

access-list from_work permit ip host

access-list from_work permit icmp any any time-exceeded

access-list from_work permit icmp any any echo-reply

mtu outside 1400

mtu inside 1500

ip address outside pppoe setroute

ip address inside

global (outside) 1 interface

nat (inside) 1 0 0

static (inside,outside) interface 0 0

access-group from_work in interface outside

access-group to_outside in interface inside

New Member

Re: Configuring VPN pass through in PIX 501


You don`t need to define the static NAT. The global (outside) and nat (inside) combination will take care the IP address translation of the VPN client traffic (which are UDP port 500 and UDP port 10000 in case of IPSec over UDP encapsulation).

By the way, what version of the client do you use ?



CreatePlease to create content