Do you control the vpn 3000? I would enable the encapsulation through UDP feature - it works great behind all kinds of NAT devices that may or may not have some IPSec awareness that can get in the way. It is enabled by default on the cisco client software. I got similar behaviour to you when I disabled the use of this feature on my client when connecting with it from behind my 501 to my 3000 at work - an inbound tunnel works, but outbund does not. I don't think fixup protocol esp-ike works on pixen doing PAT, so that probably isn't an option.
I don't control the VPN3k. However, I was told that transparent tunneling is enabled on UDP( and that's what it was at the client options). I am able to get the VPN tunnel to talk properly using the following PIX configuration, but only the designated can access Internet and VPN now, the other machines in the LAN can't do anything until I remove the static statement.
I read that in PIX 6.2 there is a limitation of 1 traversal VPN through the PIX but that's all I need. So, what can I do to allow the other PCs access Internet while I VPN back to work?
access-list to_outside permit ip 192.168.1.0 255.255.255.0 any
access-list to_outside permit icmp 192.168.1.0 255.255.255.0 any
access-list from_work permit ip host 192.168.1.0 255.255.255.0
access-list from_work permit icmp any any time-exceeded
access-list from_work permit icmp any any echo-reply
You don`t need to define the static NAT. The global (outside) and nat (inside) combination will take care the IP address translation of the VPN client traffic (which are UDP port 500 and UDP port 10000 in case of IPSec over UDP encapsulation).
By the way, what version of the client do you use ?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :