Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 6.0 with Client 3.0 behind NAT/PAT

I have a situation where two sites have Internet access only. One PC at the central site requires secure access to a server at the remote site.

Both sites have a PIX 515. The central site has OS 4.3 and the remote site has OS 6.11. Each does NAT and PAT for the PC's on the inside interface. I setup the PIX at the remote site for VPN client access. I installed the VPN client 3.11 on a PC at the central site. I am able to form the SA, but am unable to pass any traffic.

The statistics monitor on the PC shows that it is encrypting packets to the remote site and the PIX shows that the SA has been created. I receive no responses to pings from the PC to the server through the VPN using the server's internal address.

I have tried configuring a static for the PC to see if that would help. It still creates the SA and does not receive responses.

Is it possible to create this VPN tunnel for a PC from behind another PIX doing NAT? Do I need to upgrade the OS on the PIX at the central site to support this?

Would a downgrade to the older VPN client help in this situation or am I right to try to use the Client 3.11? Is this a supported configuration? Am I better off just upgrading the central PIX and trying to do a site to site VPN and use access lists to control which PC's can access the server?

Any help would be greatly appreciated.



Cisco Employee

Re: PIX 6.0 with Client 3.0 behind NAT/PAT

You really need to have the functionality of IPSec thru NAT turned on, which the new client is capable already, but not the PIX as yet, see CSCdv32490. You

be better off upgrading the 4.2 code of the PIX to a 5.x code and do a site to site lan. This way, you have a centralised control of the vpn tunnel, and it would be transparent to the client, as you don't need to install anything on their desktops.

New Member

Re: PIX 6.0 with Client 3.0 behind NAT/PAT

I created a static for the two PC's that were behind the old PIX. This allowed them both to create the tunnel. I was not able to pass traffic successfully until I created 3 conduits on the old central site PIX to allow the traffic back in. I was told by Cisco TAC that this was because the PIX was too old. If I had upgraded from 4.4 to 5.x it should have worked without the conduits.

Apparently the key to getting this to work is having a static IP address for the PC VPN client. PAT will not work for them unless you have a VPN concentrator.

conduit permit esp host VPN-Client-PC host PIX-external-Address

conduit permit ahp host VPN-Client-PC host PIX-external-Address

conduit permit udp host VPN-Client-PC eq isakmp host PIX-external-Address