Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 501 Blocks VPN traffic?


When I try to use my VPN Client to conect my office from a LAN (in this case a Hotel) that uses a PIX 501as their firewall it doesn't work at all (peer not responding although Internet access does work).

If I connect directly to the hotel's ADSL router Vpn works great.

Seems that the hotel's pix blocks vpn traffic, what should I change at their Pix config to allow guests use their laptop's vpn clients?

Thanks in Advance.

New Member

Re: PIX 501 Blocks VPN traffic?

You are probably running into a IPSEC through NAT issue where the PIX is doing the nating. Are you terminating to a vpn concentrator? If so, you can do tcp over ipsec/nat transperancy etc, to get over these issues. If you are using a router or pix to terminate your vpn clients then you should just use the ADSL connection for now as they do not have those features yet.

New Member

Re: PIX 501 Blocks VPN traffic?

I am running into the same issue with a SOHO. I cannot pass traffic through to a VPN Concentrator (Nortel Contivity 1000). Could you please tell me, or point me to a tech note that explains ipsec/nat transparency. Your help is greatly appreciated.



New Member

Re: PIX 501 Blocks VPN traffic?

The PIX doesn't yet support IPSEC passthrough, unlike cheaper products from Linksys et al. I understand it is something being addressed for a future version of software. As the above message says, there is a work-around if you are using a VPN con centrator, but if your are doing standards based IPSEC to a router or to another manufacturers box (Contivity) then you are stuck for the moment.

New Member

Re: PIX 501 Blocks VPN traffic?

Thanks for your answers,

In my case we use a router as the terminating device. I understand that succesfully connecting depends on each guest´s terminating device.

If they use a VPN concentrator it could be solved configuring this device.

If they use a router/firewall a new Pix software release is needed.

Thanks again.