Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

fixup protocol esp-ike


Does anybody know how the "fixup protocol esp-ike" really works? I only found a description on CCO "Configuring Application Inspection". And thats really poor.

Whats going on here?!

Thanks a lot Markus

New Member

Re: fixup protocol esp-ike

Hey there,

I was scratching my head last week about the same question and figured out this much.

fixup protocol esp-ike allows only one vpn client on the inside of the PIX to attach to a vpn device( VPN 3005,3030, PIX, etc) on the outside.

What it does is it creates xlates for esp & isakmp (udp 500) for that client.

However, there is one more step. You must allow ESP packets in to the client by means of an ACL.

Ex: access-list outside_acl permit esp any any.

You might want to lock down the ACL a bit more.

I just wanted to point out the 2nd step with a gereric ACL for clarity.

Hope this helps,

Chris Rusin

New Member

Re: fixup protocol esp-ike

Hi Chris,

Thanks a lot for reply.

So it isn't a fixup. It is the same feature that ervery IOS router provides with GRE (PPTP clients) on the inside network that is doing PAT.

The first client works fine because the unidirectional incoming connection for GRE is forwarded to the first outbound connection. (=first client that is doing PPTP outgoing)

In my opinion this fixup is a joke, isn't it?

Best regards Markus