Hello,
how can i activate TCP encapsulation for Cisco VPN clients on the PIX
515, instead of UDP NAT/PAT?I must use on the VPN-Client Side the option "Enable Transport tunneling" -> "IPsec over TCP", because i have some "lowcost" locations with "lowcost" router/firewalls.
This router/firewalls have a buggy NAT/PAT implementation (PAT is not working for Ports lower 1024).
So if more than 1 user tries to open a VPN-Client connection, the first user will be disconnected.
I have found this in the FAQs: Q. I am experiencing problems with only one VPN Client (for releases 3.3 and earlier) being able to connect through a Port Address Translation (PAT) device. What can I do to alleviate this problem?
A. There was a bug in several Network Address Translation (NAT)/PAT implementations that causes ports less than 1024 not to be translated. On the VPN Client 3.1, even with NAT transparency enabled, the Internet Security Association and Key Management Protocol (ISAKMP) session uses UDP 512. The first VPN Client goes through the PAT device and keeps source port 512 on the outside. When the second VPN Client connects, port 512 is already in use. The attempt fails.
There are three possible workarounds.
Fix the PAT device. Upgrade the VPN Clients to 3.4 and use TCP encapsulation. Install a VPN 3002 that replaces all VPN Clients.
My option is only solution 2 (Upgrade the VPN Clients to 3.4 and use TCP encapsulation.).
I have clients newer than 3.4 (4.0.4rel) Now how i must configure the PIX to work with TCP encapsulation?
Thank you for your help!
Otmar