Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 515E VPN Queries

1) I have configured a PIX 515E 6.3(4) f/w which is up & running fine for d past 3 mths. I have configured a Pool to assign IP's 2 my VPN clients. I c tht as days progress d f/w is assigning more & more higher IP's in d pool & d unused 1s r not getting flushed out. Is there anyway 2 define d lease period 4 this VPN DHCP Pool, else I'll run short of IP's.

2) Also 1 of our users is trying 2 connect 2 another PIX 515E f/w using Cisco VPN Client 4.6 from within my n/w. I have given a static NAT 2 this user. Also I have opened all ports 4 him 4 outbound traffic. The problem v face is tht whenever v dial using d VPN client v get d authentication screen & also get authenticated successfully, but d user is unable 2 browse d remote n/w. When d same user connects via dial-up Internet everything works fine. Could sum1 tell me d incoming & outgoing ports tht need 2 b kept open on PIX-515E for VPN 2 work perfectly.

3) Many users (infact me) face a problem tht whenever v try 2 connect 2 this f/w remotely from home the VPN dialer gets stuck up in d screeen "Securing Communications Channel....". Is there any sorts of fine tuning needed in my existing config.

Thnx in advance

Cisco Employee

Re: PIX 515E VPN Queries

1) Don't worry about this, the way the PIX works with IP assignment is that it'll use higher and higher ones, but it is releasing the lower ones. When it gets to the top of your pool it'll just start back down at the bottom again. Nothing to worry about and quite normal behaviour (or abnormal if you like, but that's the way it's designed anyway :-) )

2) Configure "fixup protocol esp-ike" on your PIX, this allow it to open up the correct holes for the return traffic. The issue here is primarily ESP traffic, which since it is non-TCP/UDP based the PIX doesn't open up a hole to allow the return traffic for it.

3) Not generally, difficult to say what is causing this without seeing some debug on your PIX and VPN client.

New Member

Re: PIX 515E VPN Queries

Thnx 4 all ur help. But I get d following error when I try to run "fixup protocol esp-ike"

"PAT for ESP cannot be enabled since ISAKMP is enabled. Please correct your conf

iguration and re-issue the command!"

I was successful in disabling d IKE for d Outside interface & run d fixup. But once I do a fixup 4 esp-ike, I cannot enable IKE on my outside interface. This prevents me 2 use VPN client 2 connect 2 my n/w externally. I get d error "The remote peer is no longer responding"

Cisco Employee

Re: PIX 515E VPN Queries

Yes, that's correct, you can't enable th eESP fixup if you have VPn clients coming in as well, my apologies, I should have mentioned that.

In that case then you will have to enable NAT-Transparency on your VPN client/concentrator, or whatever UDP/TCP encapsulation it has (sorry, you don't mention whethre it's a Cisco VPN client/conc or someone else's). all of them however, do some sort of UDP/TCP encapsulation of ESP packets to get around exactly the problem you're seeing, of being behind a NAT/PAT device. If you can get the client and concentrator to encapsulate the ESP packets into UDP/TCP packets, then the PIX will PAT them properly and more importantly, will open up holes for the return traffic.

If that still fails, you do mention that you have a static NAT translation in the PIX for this internal client, and that you have opened up all ports for it. Try adding the following line to your ACL:

access-list permit esp any host

New Member

Re: PIX 515E VPN Queries

Thnx 4 d info. For my Problem Statement 3 (VPN Client gets stuck up at "Securing Communications Channel") I interpreted something from the logs & tried out, it seems to work. I dont know whether I am rite, but I feel that the MS IPSec driver is somehow interfering. After I stopped the MS IPSec service & tried 2 connect 4 atleast 3 or 4 times, it always connected. Thnx in advance.

New Member

Re: PIX 515E VPN Queries

Oh no...My Problem no. 3 (VPN Client gets stuck up at "Securing Communications Channel") is not completely solved. I was still facing this problem after reinstalling d VPN client. I tried installing versions 4.6.0045 & 4.6.0049. Both of these versions were giving me the same problems. Finally I guess the version 4.0.5 (Rel) seems 2 work perfectly. This is d same version which I also use in Win98. Actually with this version even my authentication procedure is faster. FYI I also have a ZoneAlarm firewall installed in my PC. Does ZA conflict with any of d above mentioned versions. Thnx in advance.

CreatePlease to create content