04-04-2003 12:36 PM - edited 02-21-2020 12:27 PM
I have a customer with a PIX 501 who would like to setup IPSEC tunnels using the VPN 3000 client. Because this customer may be establishing these tunnels from behind a firewall at remote sites he would like to us IPSEC over TCP. Will the PIX 501 support this and do you have any sample configurations for this?
04-04-2003 07:02 PM
Hi,
PIX doesn't support ipsec/tcp (only vpn3000), so best bet for you is to download pix OS V6.3.1, and use a windows vpn client V3.6 (or later) to negotiate NAT-T (IPsec /udp on UDP 4500).
Other than the regular config on the pix for client connections, you would need isakmp nat-t
line.
Thx
Afaq
04-14-2003 02:31 PM
Which PIX do I add the isakmp nat-t line to, the PIX that is terminating the tunnel or the PIX in the middle that the client is behind?
04-14-2003 02:48 PM
Add:
> isakmp nat-traversal
to the PIX that is terminating the tunnel. It and the client will automatically detect that there's a NAT device in between them and will encapsulate everything in UDP 4500 packets.
04-14-2003 08:20 PM
any configuration needed for the PIX in the middle?
04-16-2003 04:32 PM
Nothing special, just the NAT config that is already on there so that packets pass thru it properly.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: