PIX 506E

zulqurnain · ‎10-14-2006

hi all,

i have a pix 506e on which we have a vpn "crypto map with isakmp" tunnel created with a second party to be used for particular business need.

recently we are undergoing another project with them and for this they require us to allow specific ip addresses to be able to communicate with with there servers which will be spearate from those which we do at the moment i.e. they plan to use a vpn client from these specific computer which will create a vpn tunnel using IPSec to connect through this pix.

"i have uploaded the pix config for review"

now as far as i know that the pix do nat and if nat is working then any vpn client trying to establish vpn tunnel through pix using IPSec will not work unless i have "nat-traversal", but the command is "isakmp nat-traversal 20"

anyways, if anyone can understand the problem and can help me out here, then it would be really great.

a.kiprawih · ‎10-14-2006

You need to create/add another set of crypto map vpn and isakmp policy to differentiate the second vpn access, i.e add crypto map vpn 20 and isakmp policy 2.

BTW, the "isakmp nat-traversal 20" command is referring to nat keepalive in 20second. You can put any value between 10 and 3600.

Cheers!

AK

zulqurnain · ‎10-14-2006

hi AK,

but like i said that this time we will be using a client vpn based software to establish the tunnel but through the pix itself. so even in this case i would need to have add/create another set of crypto map vpn.