Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1243
Views
0
Helpful
0
Comments

The IPSec VPN tunnel does not come up when there is a PIX 500 Series Firewall with software version 6.x in between the two peers with the fixup protocol esp-ike command configured

TCC_2
Level 10
Level 10

on ‎06-18-2009 03:53 PM

Core issue

The fixup protocol esp-ike command enables Port Address Translation (PAT) for Encapsulating Security Payload (ESP), single tunnel.

The fixup protocol esp-ike command is disabled by default. If a fixup protocol esp-ike command is issued, the fixup is turned on, and the PIX Firewall preserves the source port of the Internet Key Exchange (IKE). It also creates a PAT translation for ESP traffic. Additionally, if the esp-ike fixup is on, Internet Security Association and Key Management Protocol (ISAKMP) cannot be enabled on any interface.

Resolution

In order to resolve the issue, disable the fixup protocol esp-ike command and make sure that there is static translation on the PIX for the VPN tunnel endpoint behind the PIX.

Problem Type

Troubleshoot software feature

Product Family

Firewall - PIX 500 series

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents