Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Software Client VPN to 506e Pix 6.3 over ADSL

I am using the 3.6.4 VPN client to try and connect to a 506e running PIX 6.3 across ADSL using a Alcatel Speedtouch USB ADSL modem. I am having problems with this, can anyone clarify any of the following points :

1) I believe that the ADSL service uses some sort of PAT or NAT meaning that I can only connect to VPN using Transparent Tunneling (otherwise packets are discarded by the PIX as they appear tampered with) ?

2) PIX 6.3 "Transparent Tunneling" works only over UDP and not TCP (software client has both options, but these are supported by IOS not PIX) ?

3) ADSL modems (this one certainly) appear to have a problem with UDP traffic ?

My reason for making these assumptions is as follows :

I can connect and establish a tunnel without selecting "transparent tunelling" in the software client, but I can't get any traffic across it. If I select transparent tunneling over TCP I get not response from the PIX on port 10000 (default). If I try and use transparent tunneling over UDP, I get a tunnel, but no traffic across it and the status of the client software shows that transparent tunneling is 'inactive' so tunnel port is '0'.

If, however I change my Alcatel Speedtouch ADSL MODEM with a Draytek 2600 or Netgear DG814 ADSL ROUTER (using same ADSL line, same account info) the above situation is exactly the same - except that tunneling over UDP works, "transparent tunnelling is 'active', tunnel port is '4500' and I have no problem with traffic.

The only difference here being the ADSL hardware. Is this what everyone else has found ? Are there any other ways to achieve this connectivity ? My objective is to give this software client to a number of users with their own (varying) broadband installations and not have a problem with connection hardware (especially the modem we are most likely to encounter). The only way I can see round this at this stage, is to specify that some sort of ADSL router be used for connectivity rather than a modem. I don't know whether there are any plans to implement tunneling over TCP in PIX aswell, but this is likely to be a while a 6.3 has only just come out...

  • Other Security Subjects

Re: Software Client VPN to 506e Pix 6.3 over ADSL

Where are you located? Very few DSL providers in the US NAT/PAT their customers.

How are you using a USB ADSL modem with a pix? The pix does not support a USB interface. If the USB ADSL device breaks out a ethernet port, are you sure it is not a router? If you use a router, you will be PAT'd behind the legitimate ip address.

I strongly recommend making sure that you have an ethernet dsl modem that doesn't/is not configured to route. This would plug into the pix;s outside port, and you can enable the outside interface on the pix to use dhcp. With one real ip on the pix, setting it up for software vpn client connectivity should not be a problem - i have a similar config setup on my 501 off of a cable modem at home.

The sofftware client and vpn 30xx series concentrators are the only devices I am aware of that support the tcp and udp tunnelling for use behind nat/through restrictive firewalls.

New Member

Re: Software Client VPN to 506e Pix 6.3 over ADSL

Thanks for your reply.

Im in the UK, the only reason I suspected the NAT/PAT on the ADSL was the fact that I get a tunnel with traffic if I use transparent tunneling but only a tunnel that traffic does not work across if I do not use transparent tunneling (must be down to NAT/PAT somewhere ?)

The USB ADSL modem is on the client end, not the PIX end. The PIX is on a leased line and is ethernet port into router manager by ISP (CISCO 2600 I think). When I talk about switching between an ADSL modem and an ADSL router, I am talking about the client end. The PIX has it's own public IP Address, but obviously traffic is passing through the ISP managed router.