Hi! Tanks for your answer.

Below you can read our PIX config. We have used PDM ver 2.0.2 to configure VPN. We used VPN wizard.

We are using interface named VPN for our tests.

Best regards

PIX config:

pixfirewall# show runn

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

nameif ethernet3 vpn security15

enable password L4oiKMFqu295Ts2J encrypted

passwd L4oiKMFqu295Ts2J encrypted

hostname pixfirewall

domain-name ciscopix.com

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no names

access-list CSM-acl-inside permit icmp any any echo-reply

.

.

.

access-list CSM-acl-inside permit ip 10.11.0.0 255.255.0.0 10.80.0.0 255.255.0.0

access-list CSM-acl-outside permit icmp any any echo-reply

.

.

.

access-list CSM-acl-outside permit udp host 10.80.1.18 host xxx.xxx.xxx.xxx

access-list CSM-acl-dmz permit udp xxx.xxx.xxx.xxx 255.255.255.224 host xxx.xxx.xxx.xxx eq syslog

.

.

.

access-list CSM-acl-dmz permit tcp xxx.xxx.xxx.xxx 255.255.255.224 host xxx.xxx.xxx.xxx eq smtp

access-list inside_outbound_nat0_acl permit ip any 10.100.1.0 255.255.255.0

access-list vpn_cryptomap_dyn_20 permit ip any 10.100.1.0 255.255.255.0

access-list vpn_cryptomap_dyn_40 permit ip any 10.100.1.0 255.255.255.0

pager lines 24

logging on

logging timestamp

logging buffered warnings

logging trap warnings

logging history warnings

logging host inside xxx.xxx.xxx.xxx

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto

interface ethernet3 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu vpn 1500

ip address outside 10.70.1.2 255.255.255.0

ip address inside xxx.xxx.xxx.xxx 255.255.255.0

ip address dmz xxx.xxx.xxx.xxx 255.255.255.224

ip address vpn xxx.xxx.xxx.xxx 255.255.255.224

ip audit info action alarm

ip audit attack action alarm

ip local pool IT-ip-pool 10.100.1.1-10.100.1.254

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

failover ip address vpn 0.0.0.0

pdm location 10.10.111.7 255.255.255.255 inside

.

.

.

pdm location 10.101.1.0 255.255.255.0 vpn

pdm logging warnings 100

pdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 0 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.10.0.0 10.10.0.0 netmask 255.255.0.0 0 0

static (inside,outside) xxx.xxx.xxx.0 xxx.xxx.xxx.0 netmask 255.255.255.0 0 0

static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.224 0 0

static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0

static (inside,dmz) 10.10.111.7 10.10.111.7 netmask 255.255.255.255 0 0

static (inside,dmz) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0

static (inside,outside) 10.11.0.0 10.11.0.0 netmask 255.255.0.0 0 0

static (inside,dmz) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0

access-group CSM-acl-outside in interface outside

access-group CSM-acl-inside in interface inside

access-group CSM-acl-dmz in interface dmz

route vpn 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

.

.

.

route dmz xxx.xxx.xxx.0 255.255.255.224 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http xxx.xxx.xxx.0 255.255.255.0 inside

snmp-server host inside xxx.xxx.xxx.xxx

no snmp-server location

no snmp-server contact

snmp-server community ******

no snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map vpn_dyn_map 20 match address vpn_cryptomap_dyn_20

crypto dynamic-map vpn_dyn_map 20 set transform-set ESP-DES-MD5

crypto dynamic-map vpn_dyn_map 40 match address vpn_cryptomap_dyn_40

crypto dynamic-map vpn_dyn_map 40 set transform-set ESP-DES-SHA

crypto map vpn_map 65535 ipsec-isakmp dynamic vpn_dyn_map

crypto map vpn_map interface vpn

isakmp enable vpn

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup IT address-pool IT-ip-pool

vpngroup IT dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

vpngroup IT default-domain karlstad.se

vpngroup IT idle-time 1800

vpngroup IT max-time 3600

vpngroup IT password ********

vpngroup IT-TEST address-pool IT-ip-pool

vpngroup IT-TEST idle-time 1800

vpngroup IT-TEST password ********

telnet xxx.xxx.xxx.0 255.255.255.0 inside

telnet timeout 20

ssh timeout 5

terminal width 80

Cryptochecksum:2226d30fbf594b0121de963e5053542f

: end

pixfirewall#

I have checked your config,

"access-group CSM-acl-outside in interface outside "

IPSEC over TCP default using TCP port 10000.

In CSM-acl-outside, where is the permit tcp port 10000 for the outside interface of your pix outside interface ip address (10.70.1.2 ) ?

Without allowing tcp 10000 for your PIX outside interface, IPSEC over TCP will not be working.

Best Regards,

We are using interface named VPN for vpn termination (iinterface outside is not connected to Internet), and we have already tried access-lists according to following:

access-list CSM-acl-vpn permit tcp any host eq 10000

access-group CSM-acl-vpn in interface vpn

It doesn't work.

Why do you not have to define access lists for VPN over UDP? This works fine.

If it would work with IPsec over TCP, how do you change TCP port number in the PIX firewall?

When we are trying to connect using Cisco VPN client 3.5.2 with option IPsec over TCP we get the following error message in the client Log viewer regardless if we have defined access-lists or not.

78 10:41:01.250 07/23/02 Sev=Warning/2 IPSEC/0x6370001E

Unexpected TCP control packet received from 194.103.29.35, src port 10000, dst port 4654, flags 14h

79 10:41:06.187 07/23/02 Sev=Warning/3 DIALER/0xE3300015

GI VPN start callback failed "CM_CTCP_FAIL" (1Dh).

.

Best regards

without permit udp 10000, the IPSEC over UDP will not be working fine.

You still can get connection, but after that, you check the status of the VPN client, you might see "IPSEC over UDP" or NAT tranparency is inactive.

That means it is still using normal IPSEC ports.

"sysopt connection permit IPSEC" open UDP 500, protocol ESP and AH for you on the PIX. So you do not need extra access-list with it.

IPSEC over TCP can pass PIX without a problem for sure.

Please do further tests as be below:

1 Directly connect your PC to the concentrator outside interface, bypass PIX, see "IPSEC over TCP" working or not.

2 If above working fine, add "permit ip host x.x.x.x host y.y.y.y" from your PC to the concentrator translated ip address, (wide open for all ip traffic between each other).

3 Check anything else blocking TCP 10000 or not.

Any further issues, please open a TAC case, we will help you to make it working.

Best Regards,