I have VPN client Vers. 4.0 and need to connect to a PIX firewall across the internet. The problem I am having is that I can establish a tunnel, but am unable to utilize the application or even ping the application server on the other side. I am behind another PIX firewall and when I take my local PIX firewall out of the picture I can access the application that I need to upon establishing the tunnel. So it appears something in my local PIX firewall is allowing the establishment of the tunnel, however not allow anything after the fact.
I have tried a couple of things, "sysopt connection permit-ipsec", acl's, etc... and still can not get this to work. I ran into this problem before and changed from PAT to a NAT pool, which for one reason or another fixed my problem, however this time I do not have the IP addresses available to not run PAT.
The application in question must be opening a return connection to a port that is not pre-defined. Thats why when you changed to NAT the application was accessible. Since you are using PAT you will not be able to connect to applications that operate on ports that are not pre-defined
You'll have to make sure that the PIX firewall to which you are establishing a tunnel has the image 6.3.x which supports the NAT-T feature. This feature will allow you to connect using a vpn client which is behind a device doing PAT.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...