as I'm not a PIX specialist and have not yet found any enlightening information on the web I ask here:
I have a VPN client that tries to connect to a PIX. In a wireshark trace I see that it changes from ISAKMP to UDP port 4500 which in my opinion occurs when NAT is in between. I do not see any reply from my PIX to the port 4500 messages but only retries on ISAKMP - finally the connection is not established.
Are there any special commands needed to allow port 4500 on the PIX? I have at least "crypto isakmp enable" and "crypto isakmp nat-traversal 20", furthermore there's an access-list on the outside interface (in my opinion this access-list should not be looked at because ISAKMP/4500 ends on the PIX).
I probably have not explained the situation clearly. I am having a client VPN that is configured on the PIX. I do not try to traverse the PIX with tunneled traffic. The Cisco VPN client tries to establish a connection to the PIX itself.
I have seen the document you mentioned before but it does reflect my situation.
I cannot tell you if it ever worked. The only thing I can tell is that the client can connect without modification of his profile when no NAT device is in between. My further investigations focus more and more to the NAT device as the culprit. I know to few about ISAKMP yet to really understand how it should work under normal circumstances but I do some more tracing in that direction.
The crypto config is here, I think it looks pretty straight forward but if you need something more or see anything let me know.
as you say I see the communication on port 4500 reaching my PIX. But with a capture on the PIX I see that no packets on source port 4500 are leaving the PIX. So my assumption is that either the configuration is wrong (which I doubt to a certain degree) or that the NAT device (a Netopia router) sends some information that the PIX is not able to interpret and therefore denies the connection.
I try to capture more data in the PIX to verify what is in the first ISAKMP packets before the communication switches to port 4500.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...