Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client through a PIX out to the Internet

I have a workstation sitting behind a PIX 520 (no IPSec on the PIX). The workstation is using Cisco's VPN Client to connect accross the inet to an Altiga concentrator.

I have conduits permitting esp and udp 500 on the PIX and permit statements for esp and udp 500 on my screening router's acl. I cannot make a connection from the wkst to the remote vpn gateway.

What am I missing?

New Member

Re: VPN Client through a PIX out to the Internet

It should work as you describe. Have you tested connections to the VPN 3000 without the firewall? Are you sure you're able to connect to the concentrator without a PIX in the mix? My other concern is whether you're using NAT overload (PAT) on the PIX. ESP is compatible with NAT, but not PAT without some configuration changes. To run the VPN 3000 client through PAT you need to enable NAT transparency. The problem with PAT and ESP is that the ESP header has no port field. Ergo, there is no way for the PIX to track PAT sessions. NAT transparency adds a UDP header in front of the ESP header to facilitate port tracking. Configuring NAT transparency is straight-forward and detailed in the VPN 3000 docs. Let me know if any of this addresses your situation. If you like, you may e-mail me directly at Good luck!

CreatePlease login to create content