Thanks for the resposne. I just mentioned the PAT to get the point across that I was not statically NATing the internal users to their own IPs. The PAT is in place for all outbound traffic. I have read that you can only use the fixup for ESP if the PIX isn't also terminating other IPSEC VPN Connections (which it is). It is part of a VPN meshed network. Lastly, I have read that even if the PIX weren't terminating VPN Connections, that the fixup would only allow 1 VPN Connection from an internal client at a time. And that won't work because I have 14 users who need to access this remote network. Have I been mis-lead or have I mis-read. Thanks for the help !

Eric Watters

Atlanta, Ga.

Yes .. you are correct .. the fixup only allows one IPsec connection at the same time and can't be applied when you are already terminating a VPN tunnel on the PIX in fact if you try to type in the fix up you will receive an error message .. What you could try is finding out whether the client supports nat-transaparency and which ports does it use for it .. For example a cisco client uses UDP 4500 or TCP 10000 by default then your could try creating an access-list which allows udp 4500, 500, and TCP 10000 ( in the case of the cisco client ) .. this needs to be applied to the outside and inside interfaces on the inbound direction.

The issue is basically incompatibility between ESP and NAT/PAT .. but the transparency feature will encapsulate the ESP packet on a UDP header and the PAT should work .. I have not done this myself and so please let us know how you go.

Please let me know how you go .. and rate it if it helps ..

Well, as mentioned there is issues between PAT and IPSEC. If those who wants VPN to the nortel are limited, you can create static NAT's for them and then allow ESP and AH to their IP addresses. This would work 100%. However, this depend on how many are they and if this is feasible for you.

Please rate if this helps,