fixup protocol esp-ike

Discussion in 'Cisco' started by Michael, Nov 28, 2003.

  1. Michael

    Michael Guest

    Hi all,

    I'm using PIX515R with IOS 6.3 and use PAT and dial-in VPN function on PIX.
    No router is connected to PIX. PIX acts as firewall and VPN gateway.
    I'm gonna let one person in company connect to outside VPN server through
    IPSec.
    I've allow in/out access-lists for protocol 50(esp), 51(ah) and udp 500 both
    on outside and inside interfaces.
    According to PIX command reference, it told me to add "fixup protocol
    esp-ike" to enable outbound ipsec.
    When I added the command, IOS showed me "PAT for ESP cannot be enabled since
    ISAKMP is enabled,
    please correct your configuration!". Yes, I've enabled crypto map and isakmp
    policy on outside interface
    which is for dial-in VPN.

    Q1. What'm I gonna do? Actually, I don't wanna use ipsec-manual parameter at
    all!!
    Because I'm using dynamic crypto map for dial-in users.

    Q2. I tried another method. I mapped a static global ip address to that
    user's private ip by static command.
    I've also revised access-lists for ah, esp and isakmp to allow
    inbound to that global
    ip and outbound to that private ip. But outbound ipsec connection
    still failed.

    I really don't know how to let that person connect to outside VPN server
    through ipsec?
    Would anyone tell me please?

    If you're kind of helping me, please tell me. I'm willing to mail you our
    PIX configuration!!

    Thanks all!!
     
    Michael, Nov 28, 2003
    #1
    1. Advertising

  2. In article <bq6qqk$>,
    Michael <> wrote:
    :I'm using PIX515R with IOS 6.3 and use PAT and dial-in VPN function on PIX.

    PIX does not use IOS. PIX uses Finesse, but they don't call it that
    anywhere, so just call it PIX OS.

    :I've allow in/out access-lists for protocol 50(esp), 51(ah) and udp 500 both
    :eek:n outside and inside interfaces.
    :According to PIX command reference, it told me to add "fixup protocol
    :esp-ike" to enable outbound ipsec.
    :When I added the command, IOS showed me "PAT for ESP cannot be enabled since
    :ISAKMP is enabled,

    The documentation about the esp-ike fixup is clear about this. You
    can't have isakmp and esp-ike at the same time.

    :Q1. What'm I gonna do?

    The approach you tried for Q2.

    :Q2. I tried another method. I mapped a static global ip address to that
    :user's private ip by static command.
    : I've also revised access-lists for ah, esp and isakmp to allow
    :inbound to that global
    : ip and outbound to that private ip. But outbound ipsec connection
    :still failed.

    You mapped a private IP to a public IP. That's incompatible with AH
    in principle. You might have either get the other end to turn off
    AH, or else give the user a public IP address internally.

    First, though, go back and turn off the ike-esp fixup, and then
    turn on isakmp nat-traversal and permit UDP 4500 through the ACLs, and
    then have your user try again. If the software at both ends is recent
    enough, then isakmp nat-traversal will allow the software to detect
    that it is being NAT'd and the software will encapsulate AH and ESP
    through UDP 4500. This can be used with PAT when it works at all.
    --
    "[...] it's all part of one's right to be publicly stupid." -- Dave Smey
     
    Walter Roberson, Nov 29, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Masud Reza
    Replies:
    1
    Views:
    3,031
    Walter Roberson
    Jan 3, 2004
  2. David K
    Replies:
    2
    Views:
    10,325
    David K
    Jan 9, 2004
  3. Corbin O'Reilly
    Replies:
    6
    Views:
    7,134
    Corbin O'Reilly
    Apr 28, 2005
  4. B Squared

    fixup protocol for http

    B Squared, Jul 14, 2005, in forum: Cisco
    Replies:
    4
    Views:
    4,632
    Sarabjit Singh
    Jul 19, 2005
  5. Fixup protocol

    , Aug 3, 2006, in forum: Cisco
    Replies:
    2
    Views:
    5,039
    Walter Roberson
    Aug 3, 2006
Loading...

Share This Page