Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco VPN Client through PIX


my problem is the following configuration:

VPN Client(Software) --> PIX --> Internet --> PIX (Tunnel Endpoint)

The VPN Client cannot connect to the second PIX over the Internet. What must i configure on the first PIX to pass the ipsec traffic to the client. Normally i think this the Port 500/udp.

In the following configuration the PIX VPN Client is functional:

VPN Client(Software) --> Router --> Internet --> PIX (Tunnel Endpoint)

On the router i have configured a static nat/pat entry and incoming internet traffic is allowed to port 500/udp.

What is failure i have make?

Thanks for your solutions!!!

  • Security Management

Re: Cisco VPN Client through PIX


On the pass-thru PIX, you need to configure NAT(static) for the vpn client machine, and then permit "UDP 500" and ESP traffic inbound on the ACL applied to the outside interface on the pix.

PIX 6.3 is coming with IPSec/UDP feature, then you can connect one client behind PIX w/o static NAT (PIX with PAT). Its due end of march.



New Member

Re: Cisco VPN Client through PIX

Does anyone have a sample config to allow IPSec pass thru on the PIX? I have just upgraded to PIX OS 6.3 and would like to allow my internal VPN client to build a tunnel to a remote PIX.

Remote PIX-----------Internet--------------Home PIX---------VPN Client


Cisco Employee

Re: Cisco VPN Client through PIX

Use the "fixup protocol esp-ike" command. Only one tunnel is supported at one time, also you can't terminate VPN's on this PIX after enabling this command.

This widget could not be displayed.