I have searched high and low for this answer and cannot find anything like this. I have a vendor that requires us to use thier VPN device to connect to thier network. This device is configured to ping an external server and if there is a response to connect to the secure server located there over the internet. If there is no response then it completes a dial backup. only certain clients have access to the VPN device, routing is working because if I turn the pings off the clients can access the web server successfully over the dial backup. When I turn ping back on we get a page cannot be displayed error (i am seeing the ping successes), meaning the IPSEC tunnel is not making it through the firewall. IAW with vendor instructions I have enabled ESP-IKE fixup protocol and created static rules for port 50 and 500
My questions follow,
- what am I missing? I found references to ISAKMP NAT traversal, but in order to enable that I need to disable the ESP-IKE protocol. I only have one client on the inside of the firewall that is creating and accessing the tunnel (the users connect through this device) everything I have found on ESP-IKE is that it should work.
- Is there another port I need to enable?
- The bottom line is I want to allow the IPSEC tunnel from the internal device to pass through the firewall untouched.
I do not have access at all to the vendor device
rules static (inside,outside) udp interface isakmp 192.168.1.251 isakmp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 500 192.168.1.251 500 netmask255.255.255.255 0 0 static (inside,outside) tcp interface 50 192.168.1.251 50 netmask 255.255.255.255 0 0 map
PIX 515E 192.168.1.254 | | Switch | | Vendor Device (cisco 1711) 192.168.1.251
Thanks in advance for all your help John