Hi everyone,
I recently upgraded a PIX 501 from version 6.2.x to version 6.3.4 in order to take advantage of the NAT-T ability when setting up an IPSec VPN. It seems that all there is to it is the "isakmp nat-traversal" command, but I still can't get it to work. Is there any way to customize the NAT transparency, such as changing the UDP port of the encapsulation? Will NAT-T get applied if the PIX is set up as a hardware VPN client? I have been playing around with setting up a PIX-to-Concentrator VPN connection, where the PIX is sitting behind another PIX doing NAT/PAT, but have not been able to establish the tunnel. The exact same setup works if using a software VPN client, however (the Concentrator reports the software connection as "IPSec/NAT-T"). The Concentrator's log during the establishment of the tunnel shows no activity, so is there any way to do a "debug icmp trace" or any other similar debug command on the Concentrator?
My apologies for leaving out the gory details of the setups, but I think that I am missing something conceptually, not technically.
I would be very grateful for any insight someone might offer.
Thanks,
Bohdan