PIX and VPN over TCP

Discussion in 'Cisco' started by Krzysztof, Mar 16, 2007.

  1. Krzysztof

    Krzysztof Guest

    Hi to all!

    I need an advice and maybe someone of you could help ...

    My company is usig PIX firewall, and mobile user use Cisco VPN Client, to be
    able to connect with our network while they are on the road. Problem is,
    that in many places mobile users can connect to internet, but via device
    with NAT and without NAT-T. Ofcourse in such a case they could not establish
    VPN tunel.
    However Cisco VPN Client has an option "Enable transparent Tunneling" (with
    setting "IPSec over UDP (NAT/PAT)" and "IPSec over TCP").

    Could someone tell me how to configure PIX (515E) to use this option (or
    point me to appropriate doc)? Is this option at all supported on PIX? I have
    found only information regarding configuring this option with Cisco VPN

    Thank you in advance for any answer

    Krzysztof, Mar 16, 2007
    1. Advertisements

  2. isakmp nat-traversal 20


    Note that PIX can do nat-traversal only with UDP and
    using a fixed port 4500.
    Jyri Korhonen, Mar 16, 2007
    1. Advertisements

  3. It doesn't matter that they are going through devices that do not
    have NAT-T: the VPN client itself will do NAT-T. If the PIX has
    NAT-T enabled and the VPN clients are having problems getting
    through, then the implication is that UDP 500 or UDP 4500 is blocked --
    and if that is the case, one would expect that TCP 10000 may well
    be blocked as well.
    Walter Roberson, Mar 16, 2007
  4. That is true for PIX 6.3, which the url you give is for ("v_63"),
    but I seem to recall reading that there is are more tunneling
    options for PIX 7.x, which a 515E might be running.
    Walter Roberson, Mar 16, 2007
  5. Yes, but You can change the port with isakmp ipsec-over-tcp port <port>
    =?ISO-8859-2?Q?Micha=B3_Iwaszko?=, Mar 16, 2007
  6. Krzysztof

    Krzysztof Guest


    Hmm! It seem that you guys are right - this not NAT-T problem, as I have
    already turned it on with "isakmp nat-traversal 20". It may be due to
    blocking UDP ports.
    but Jyri has said:
    So, could I configure my PIX to use only one TCP or UDP port (preferable
    using one of "well known port") or not?

    Krzysztof, Mar 16, 2007
  7. The command I wrote works well on ASA and I forgot to add it to the
    previous post :). Take a look at a PIX Configuration Guide and a
    Command Reference for Your OS version - It's all there.
    =?ISO-8859-2?Q?Micha=B3_Iwaszko?=, Mar 16, 2007
  8. Krzysztof

    Krzysztof Guest

    There is no "isakmp ipsec-over-tcp port" command or anything similar, so
    final conclusion is:
    I CAN'T change TCP/UDP ports used by PIX for IPSec tunnels :-( (I have
    version 6.3)

    Best Regards:

    Krzysztof, Mar 16, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.