Cisco Support Community
Community Member

Pix VPN client behind Pix firewall

Main office has Pix 501 VPN. Users connect and all is good.

One person has a PIX at home. Using cable modem access. Everything is just fine with just cable modem and PC. However, put the PIX between PC and cable modem and VPN tunnel doesn't get established.

Is this a PAT problem. When PIX is in place, the PC has a private, dhcp address. When PIX is not in place, PC has a public address assigned by ISP.


Community Member

Re: Pix VPN client behind Pix firewall

As far as I know this does not work.

The first problem is that the PIX at the home office will not pass through the IPSec traffic. I'm not sure why this is. I swapped out my PIX at home for a Linksys DSL router and now I can VPN back to our main office just fine.

Here is another way around this. The VPN client supports IPSec over a specific TCP port. You could then configure the VPN endpoint at the main office to accept IPSec over that specific TCP port.

The problem with this is that the PIX as the termination endpoint cannot be configured this way, only the VPN concentrators.

I would love to be able to do this myself, so if there is a workaround I would really like to know.

Community Member

Re: Pix VPN client behind Pix firewall

Try enabling UDP for VPN's. NAT messes with port numbers and breaks VPN's

Community Member

Re: Pix VPN client behind Pix firewall

There are two workarounds:

use a static public address mapped to your PC

use IPSec over TCP (as stated in the other replys)

Hope this helps.

CreatePlease to create content