Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN 4.6 traffic through PIX

Is there specific configs to allow vpn traffic behind PIX firewalls. We have a client using 4.6 that is behind two PIX firewalls but is unable to connect. We've open up pretty much everything between the client and endpoint just to rule out any blocks. Also we added the sysopt connection permit-ipsec. There's nothing coming up on the logs. What we've noticed from traffic captures is that the 500 communication looks alright, but it never goes further to the 50 communication. Also we see a lot of fragmented packets.

Any help is appreciated, thanks


Re: VPN 4.6 traffic through PIX


Is your 4.6 client terminating to a PIX or a Concentrator. 2nd when natting through the pix's is it using pat or does it recieve it's only nat public ip address.

If your terminating the vpn tunnel on a pix you probably need to turn on nat traversal.

"isakmp nat-traversal 20"

The way to determine if it has to do with nat traversal is if your vpn client is able to get connected but is not able to pass any traffic it's probably nat traversal causing the problem.


please rate any post that were helpful.

New Member

Re: VPN 4.6 traffic through PIX

It's terminating to a concentrator and the client has no translation, it uses it's public ip address.


Re: VPN 4.6 traffic through PIX

Hi .. If I understood correctly ..

1.- The client is behind two PIX firewalls .. correct..?. Are you sure he is using a Public IP address .. perhaps it is NATed by the PIXes.

2.- The client is using verison 4.6 . correct

3.- The VPN is terminating on a VPN concentrator .. correct ?

4.- All the PIXes have sysopt connection permit-ipsec and isakmp nat-traversal 20 ... correct ?

5.- Can you check the firewalls have fixup protocol esp-ike as well

6.- Configure the client and the VPN concentrator to use IPsec over UDP encapsulation and allow port 4500 to pass throught the PIXes all the way to the Concentrator.

I hope it helps ... please rate is if it does !!!

New Member

Re: VPN 4.6 traffic through PIX

1 - we moved the client so that it's only behind one firewall now and it is using it's public IP address

2 - client is using 4.6

3 - it is terminating to a VPN concentrator

4 - the sysopt command is there, we didn't do the nat-traversal since where not nating, would we still need that?

5 - the esp-ike cmd is also there

6 - We'll have to review, right now the people who own the concentrator will not change anything, since other clients use it. Basically they're blaming our network, specifically our firewall, since it works with other clients/networks