attempting to configure the following.
h - p1 - I - p2
h - host
p1 - 501 PIX (I control)
I - Internet
p2 - Cisco Device with VPN enabled.
I can VPN from home into p1 and establish connection however when behind p1 and I attempt to VPN to P2 I can establish a connection however can't pass traffic. I have PAT running on my pix (p1)
I understand that I should not have the 101 ACLs configured the way they are currently, just trying to rule out that my ACLs were not blocking.
Does the 501 allow this functionality?
Unfortunately I have no control over p2, this is a customers device. I do not have a VPN tunnel connecting the two devices, I just want to be able to use the cisco client from inside p1 and connect to p2.
I am able to connect if I remove p1 and replace it with a linksys. P1 is not allowing something..I just don't know what it is.
tstrunce, that is not necessarily the case. I understand you are not tunneling between the devices. Since you pix is doing pat, you must be able to do nat-traversal from you client. This means your client must be configured and the remote end point must be configured for nat-t. Your pix is not blocking anything.
Another option is to do "fixup protocol esp-ike" on your pix, this will allow for one vpn connection and one only. You will also not be able to terminate vpn's on your pix.
A one to one static on your client will help as well if you have an extra ip address.
ok, I understand now..PAT is the issue.
fixup protocol esp-ike is not an option because I need users to be able to VPN in. I've seen this command before in the past, just didn't understand what it did.
How does a 1 to 1 static work? I understand that I would need another external IP address on my side however would the other IP address be the external interface on p2?
BTW...thanks so much for the response!
It works like this...basically it would nat the client 192.168.1.1 to 188.8.131.52, not pat, therfore allowing you to connect.
static (inside,outside) 184.108.40.206 192.168.1.1 netmask 255.255.255.255
You could also try "isakmp nat-traversal" in your pix. I have heard this may help, but not in my experience. Make sure you have enabled transparent tunneling in your vpn client config, udp 4500.