Re: How to allow cisco vpn 3.5 client on windows through Pix 506
The problem here is you're doing PAT and IPSec is not a TCP/UDP type packet which can be PAT'd easily. The PIX doesn't currently support IPSec thru PAT specifically. You can remedy this a few ways.
Probably the easiest is to enable the IPSec over UDP feature in the VPN client. You do this in the concentrator config under the group the user is connecting to. Under the Client Config tab check the IPSec over UDP box. Now when the client connects all the IPSec packets will be encapsulated into UDP port 10000 (default) packets, which the PIX will then be able to PAT successfully.
In the 3.6 client you can also do IPSec over TCP, which encapsulates ALL the IPSec and ISAKMP packets into a TCP stream, which again the PIX can then PAT successfully.
Or, on the PIX itself you can define a static translation for this inside host rather than let it use the nat/global config, so that the traffic will be NAT'd instead of PAT'd and that should work also. You'll need an access-list to allow the IPSedc packets back into the PIX cause it won't open a hole for those like it does with TCP/UDP packets.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...