Re: PIX 501 IPSec over TCP

gdankberg · ‎04-04-2003

I have a customer with a PIX 501 who would like to setup IPSEC tunnels using the VPN 3000 client. Because this customer may be establishing these tunnels from behind a firewall at remote sites he would like to us IPSEC over TCP. Will the PIX 501 support this and do you have any sample configurations for this?

afakhan · ‎04-04-2003

Hi,

PIX doesn't support ipsec/tcp (only vpn3000), so best bet for you is to download pix OS V6.3.1, and use a windows vpn client V3.6 (or later) to negotiate NAT-T (IPsec /udp on UDP 4500).

Other than the regular config on the pix for client connections, you would need isakmp nat-t

line.

Thx

Afaq

gdankberg · ‎04-14-2003

Which PIX do I add the isakmp nat-t line to, the PIX that is terminating the tunnel or the PIX in the middle that the client is behind?

gfullage · ‎04-14-2003

Add:

> isakmp nat-traversal

to the PIX that is terminating the tunnel. It and the client will automatically detect that there's a NAT device in between them and will encapsulate everything in UDP 4500 packets.

gdankberg · ‎04-14-2003

any configuration needed for the PIX in the middle?

gfullage · ‎04-16-2003

Nothing special, just the NAT config that is already on there so that packets pass thru it properly.