Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

remote CVPN behind firewall that need to connect to VPN 3000 concentrators

Hi folk,

I have a sitution that a user of our parnter company need to access our netwrok via VPN connection.

The setting:

User has Winodow 2000 laptop wiht Cisco VPN clinet 3.5.1 install on the machine. The laptop is siting behind one of the WatchGuard firewall at remote site that does not have a lot document that help to troubleshoot

At our end with VPN 3000 concentrators that work with all the user via internet and dialup connection.

The challenge here is the laptop will work ourside of any network but not this particular type of firwall. The vpn traffice seemd to connect pass first phase that only send about 1476 byte information and nothing going back out to this remote site that behind the WatchGuard firewall.

Q1.Is there certain port that the remote firewall need to open? I read about the UDP port 500 need to opent to allow the IPsec traffice go through.

Q2. Is there any other setting that Cisco VPN client that need to modify to overcome this type of issue?

Thank in advance for all the responds. Your answer and pointer that would make my life easier.


Cisco Employee

Re: remote CVPN behind firewall that need to connect to VPN 3000

The firewall is probably doing PAT which is killing your IPSec packets.

The VPN client has an option on it called Transparent Tunnelling, which encapsulates your IPSec packets into either TCP or UDP packets which can then be PAT'd properly by the firewall. On the client this is usually enabled by default, but check your connection properties to make sure it's on. Use IPsec over UDP.

On the concentrator, modify the group that this client is connecting into, and under the Mode Config tab check the IPSec over UDP box, this will enable that feature for all users in this group.

After that you should be good to go.