How activate TCP encapsulation on PIX 515 for Cisco VPN Clients?

Hello,

how can i activate TCP encapsulation for Cisco VPN clients on the PIX
515, instead of UDP NAT/PAT?

I must use on the VPN-Client Side the option "Enable Transport
tunneling" -> "IPsec over TCP", because i have some "lowcost" locations
with "lowcost" router/firewalls.

This router/firewalls have a buggy NAT/PAT implementation (PAT is not
working for Ports lower 1024).

So if more than 1 user tries to open a VPN-Client connection, the first
user will be disconnected.

I have found this in the FAQs:
Q. I am experiencing problems with only one VPN Client (for releases 3.3
and earlier) being able to connect through a Port Address Translation
(PAT) device. What can I do to alleviate this problem?

A. There was a bug in several Network Address Translation (NAT)/PAT
implementations that causes ports less than 1024 not to be translated.
On the VPN Client 3.1, even with NAT transparency enabled, the Internet
Security Association and Key Management Protocol (ISAKMP) session uses
UDP 512. The first VPN Client goes through the PAT device and keeps
source port 512 on the outside. When the second VPN Client connects,
port 512 is already in use. The attempt fails.

There are three possible workarounds.

Fix the PAT device.
Upgrade the VPN Clients to 3.4 and use TCP encapsulation.
Install a VPN 3002 that replaces all VPN Clients.

My option is only solution 2 (Upgrade the VPN Clients to 3.4 and use TCP
encapsulation.).

I have clients newer than 3.4 (4.0.4rel)
Now how i must configure the PIX to work with TCP encapsulation?

Thank you for your help!

Otmar

 

the TCP encap is for VON concentrators.
get the client 3.6.x or a 4.xx and issue the PIX command isakmp nat-t

This works just fine.

HTH
Martin

 

and what is your PIX OS Version ?
get 6.3.xx hopefully the latest 6.3.5 or minimum 6.3.3