Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Client 3.0, NAT Transparency and PIX Firewall 6.01

Does VPN Client 3.x (unified framework) support NAT transparency? If not, is there a plan to support this feature? Is there any VPN client with NAT transparency feature compatible with PIX 6.0?

Problem: I'm siting behind corporate firewall with VPN Client 3.x, when I go outside, I'm PAT-ed, and I want to connect to remote PIX to establish VPN tunnel. When I'm connected directly to remote router (next hop is PIX), everything is OK, when I try the same thing behind firewall, I receive error:

1 11:16:56.272 07/30/01 Sev=Warning/2 IKE/0xE3000079

Exceeded 3 IKE SA negotiation retransmits... peer is not responding

2 11:16:56.322 07/30/01 Sev=Warning/3 DIALER/0xE3300015

GI VPN start callback failed "CM_PEER_NOT_RESPONDING" (16h).

Community Member

Re: VPN Client 3.0, NAT Transparency and PIX Firewall 6.01

I am currently performing the same function through a PIX 506 firewall connected to a cable modem using PAT. You must select within the VPN 3.0 client properties "Allow IPSEC through NAT mode". The most common application for IPSec through NAT mode is behind a home router performing PAT. Using this feature encapsulates Protocol 50 (ESP) traffic within UDP packets that the home router/firewall forwards to their destination. The VPN Client also sends keepalives frequently, ensuring that the mappings on the router/firewall are kept active. However using this method requires port 10000 UDP (default) to be permitted outbound through the firewall.

Community Member

Re: VPN Client 3.0, NAT Transparency and PIX Firewall 6.01

Well I heard that Cisco does not support this feature yet. I have my clients connecting through there home router or dsl and few of them are using PAT. And all select that option "Allow IPSEC through NAT mode". But still there are unable to do so. Now if you can help me with this port 10000 UDP port to be permitted outbound through the firewall ( i am assuming this port access will be on my PIX where the clients are terminating.) Can you tell me exactly wat addresses i have to permit to go out. Is it the virtual ip address that my VPN clients get or everything. I m not sure i got how will this be done...allowing that port 10000 UDP. i will appreciate that.

CreatePlease to create content