PIX - VPN pass-thru & VPN tunnel simultaneously

Discussion in 'Cisco' started by Merv, Feb 16, 2005.

  1. Merv

    Merv Guest

    In order to configure "isakmp enable outside"
    it is necessary to remove "ffixup protocol esp-ike"

    Does this mean that the PIX does not support VPN pass-thru and VPN
    tunnels (IPSEC-based) simultaneously ???
    Merv, Feb 16, 2005
    1. Advertisements

  2. Merv

    AJN Guest

    I guess you mean by pass-thru a hub & spoke topology (when a pix A establish
    a VPN tunel with a pix B through a pix C).A hub & spoke vpn tunnels are
    possible if the interface communicating with pix A is different from the
    interface communicating with pix B (to avoid routing traffic to the
    originating int).In this case u have to set rules that route IKE traffic
    destined to the other IPSec endpoint to the appropriate interface, and end
    the other traffic destined to itself (as an IPSec endpoint).

    PIX Firewall Version 6.3 provides improved support for application
    inspection of Encapsulating Security Payload (ESP) and for using IPSec with
    NAT. ESP is an IPSec protocol that provides data confidentiality, data
    integrity, and protection services, optional data origin authentication, and
    anti-replay services. ESP encapsulates the data to be protected.

    However, because ESP packets do not identify the ports that are involved,
    PAT is performed by assigning port 0 (zero). Only one ESP tunnel is
    supported at a time. Also, when the PIX Firewall has this feature enabled,
    it cannot terminate VPN tunnels in relation to other IPSec peers.

    That's why you have to verify that "fixup protocol esp-ike" is disabled by

    I hope I answered your question.
    AJN, Feb 18, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.