Is there specific configs to allow vpn traffic behind PIX firewalls. We have a client using 4.6 that is behind two PIX firewalls but is unable to connect. We've open up pretty much everything between the client and endpoint just to rule out any blocks. Also we added the sysopt connection permit-ipsec. There's nothing coming up on the logs. What we've noticed from traffic captures is that the 500 communication looks alright, but it never goes further to the 50 communication. Also we see a lot of fragmented packets.
1 - we moved the client so that it's only behind one firewall now and it is using it's public IP address
2 - client is using 4.6
3 - it is terminating to a VPN concentrator
4 - the sysopt command is there, we didn't do the nat-traversal since where not nating, would we still need that?
5 - the esp-ike cmd is also there
6 - We'll have to review, right now the people who own the concentrator will not change anything, since other clients use it. Basically they're blaming our network, specifically our firewall, since it works with other clients/networks
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...