PIX and VPN over TCP

Hi to all!

I need an advice and maybe someone of you could help ...

My company is usig PIX firewall, and mobile user use Cisco VPN Client, to be able to connect with our network while they are on the road. Problem is, that in many places mobile users can connect to internet, but via device with NAT and without NAT-T. Ofcourse in such a case they could not establish VPN tunel. However Cisco VPN Client has an option "Enable transparent Tunneling" (with setting "IPSec over UDP (NAT/PAT)" and "IPSec over TCP").

Could someone tell me how to configure PIX (515E) to use this option (or point me to appropriate doc)? Is this option at all supported on PIX? I have found only information regarding configuring this option with Cisco VPN concentrator.

Thank you in advance for any answer

Krzysztof

Reply to
Krzysztof
Loading thread data ...

isakmp nat-traversal 20

formatting link
Note that PIX can do nat-traversal only with UDP and using a fixed port 4500.

Reply to
Jyri Korhonen

It doesn't matter that they are going through devices that do not have NAT-T: the VPN client itself will do NAT-T. If the PIX has NAT-T enabled and the VPN clients are having problems getting through, then the implication is that UDP 500 or UDP 4500 is blocked -- and if that is the case, one would expect that TCP 10000 may well be blocked as well.

Reply to
Walter Roberson

That is true for PIX 6.3, which the url you give is for ("v_63"), but I seem to recall reading that there is are more tunneling options for PIX 7.x, which a 515E might be running.

Reply to
Walter Roberson

Yes, but You can change the port with isakmp ipsec-over-tcp port command.

Reply to
Michał Iwaszk

Hi!

Hmm! It seem that you guys are right - this not NAT-T problem, as I have already turned it on with "isakmp nat-traversal 20". It may be due to blocking UDP ports.

but Jyri has said:

So, could I configure my PIX to use only one TCP or UDP port (preferable using one of "well known port") or not?

Krzysztof

Reply to
Krzysztof

The command I wrote works well on ASA and I forgot to add it to the previous post :-). Take a look at a PIX Configuration Guide and a Command Reference for Your OS version - It's all there.

Reply to
Michał Iwaszk

Hi!

There is no "isakmp ipsec-over-tcp port" command or anything similar, so final conclusion is: I CAN'T change TCP/UDP ports used by PIX for IPSec tunnels :-( (I have version 6.3)

Best Regards:

Krzysztof

Reply to
Krzysztof

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.