Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Client Problems

I have VPN client Vers. 4.0 and need to connect to a PIX firewall across the internet. The problem I am having is that I can establish a tunnel, but am unable to utilize the application or even ping the application server on the other side. I am behind another PIX firewall and when I take my local PIX firewall out of the picture I can access the application that I need to upon establishing the tunnel. So it appears something in my local PIX firewall is allowing the establishment of the tunnel, however not allow anything after the fact.

I have tried a couple of things, "sysopt connection permit-ipsec", acl's, etc... and still can not get this to work. I ran into this problem before and changed from PAT to a NAT pool, which for one reason or another fixed my problem, however this time I do not have the IP addresses available to not run PAT.


Re: VPN Client Problems

The application in question must be opening a return connection to a port that is not pre-defined. Thats why when you changed to NAT the application was accessible. Since you are using PAT you will not be able to connect to applications that operate on ports that are not pre-defined

Cisco Employee

Re: VPN Client Problems


You'll have to make sure that the PIX firewall to which you are establishing a tunnel has the image 6.3.x which supports the NAT-T feature. This feature will allow you to connect using a vpn client which is behind a device doing PAT.

You'll have to enable NAT-T. The command is

isakmp nat-traversal

More details can be found at

On the local PIX make sure that you open up udp 4500 ( used by NAT-T)



Community Member

Re: VPN Client Problems

I believe that PIX code 6.3 has a fix for this...Try the command "isakmp nat-traversal." I have never tested it, but if I understand it correctly, it should work.

Has anyone used this command?



CreatePlease to create content