Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Pix 501 VPN Passthrough

I am a novice/new cisco user. I have been struggling trying to configure a Cisco Pix 501 to allow passthrough of VPN traffic. I have reviewed many articles and posts but have not had success in putting the proper configuration together. I am running a Symantec VPN client to a Symantec Security Gateway. The VPN works fine when the PIX is out of the configuration.

The Pix is version 6.3 and I also have PDM 3.0 working. I am new to the routing world. I understand most concepts but I seem to be missing a vital piece of information. The error on the symantec VPN client is as follows. Error connecting tunnel to The server rejected the ISAKMP Security association. Make sure the Phase1 ID's, shared key and IKE policy are correct.

Thank you for your assistance.


Re: Pix 501 VPN Passthrough

Community Member

Re: Pix 501 VPN Passthrough

Thank you for the quick response. However applying the one fixup command did not help the situation.

Re: Pix 501 VPN Passthrough

Hello Tom,

I dont know if it works in 6x IOS but here is another inspection

fixup protocol ipsec-pass-thru

Also make sure that you did a one-to-one static mapping (conduits used in legacy IOS) for an unused public IP of yours because you can not PAT gre or esp to an internal host. And you may also need an outside acl

access-list outside_access_in permit gre xxx

access-list outside_access_in permit ipsec xx

access-list outside_access_in permit esp xxx

access-list outside_access_in permit ah xxx


Community Member

Re: Pix 501 VPN Passthrough

Thank you for your replies. I can not still get it to function. We will be replacing this configuration soon with new equipment. I will then have better tech support onsite. I will also be taking classes.

Thank you.

Cisco Employee

Re: Pix 501 VPN Passthrough


Are there any access-list on the Pix applied inbound. If so, after you configured the Pix 501 with "fixup protocol esp-ike" command, did you permit ESP in the access-list. I have seen some configuration were the esp-ike works only when there is an inbound ACL that permits ESP.


access-list INBOUND permit esp any any



*Pls rate if it helps*

CreatePlease to create content