Cisco VPN through a PIX 501 to another PIX?

I've been Googling this problem for about an hour, and it looks like
it's an old chestnut of a question, but I'm getting no nearer a
solution, and am rapidly losing my hair!

The wife's work have put in a PIX (model and software versions
unknown, but probably nothing fancy) to allow remote workers to
connect in. We have a PIX 501 between the home network and the
Internet router.

So we have:
Win2K PC, Cisco VPN Client (4.0.3(A)) --> PIX 501 (6.3(1)) --> Router
--> Internet --> Other PIX --> Internal Hosts

It's the usual story that if I plug the PC directly into the Router,
all is fine - I get an IPSec connection established and can ping the
IP addresses of the internal hosts.

If I plug the router into the PIX 501, I still get the IPSec session
established (and still get an IP address and DNS addresses allocated
from the Other PIX), but I can't ping any of the internal hosts. The
VPN Client tells me that it has sent a few kB, but received zero
bytes. Winding up the logging on the client and debugging the packets
on the 501 show that there is some kind of exchange of packets going
on (keepalives?).

The VPN client is configured for Transparent Tunnelling ("IPSec over
UDP (NAT/PAT)"), and I seem to recall somewhere that IPSec over TCP is
not an option for the Other (VPN Gateway) PIX. Our PIX 501 is doing
NAT only (not PAT).

I've tried "fixup prot esp-ike" and/or "isakmp nat-traversal" on my
PIX 501, but singly or together they give no improvement. Is there
something that needs to be done on the Other PIX?

Thoroughly confused...
Andrew

 

Yes, they will need to have NAT Traversal enabled on the PIX at their end.

isakmp nat-traversal 20

Jo

 

Thanks, I'll see if I get them to enable that. Presumably I would need
to set the esp-ike fixup on my PIX, but not NAT Traversal?

Regards
Andrew

 

Thanks, I'll see if I get them to enable that. Presumably I would need

On my PIX I havent enabled any fixups and it works fine connecting to
various other PIXs using the Cisco Client.

 

I would suggest on your home PIX open the IP protocol 50/51 and UDP
port 500 for ISAKMP for inbound traffic (use access-list). That
should allow your VPN connection to work fine.

 

Thanks, I'll see what they say about the config.

Regards
Andrew