RE: [fw-wiz] Clients cant access pix w/ vpn from behind nat devices using the newest cisco client.

From: Melson, Paul (
Date: 10/22/03

  • Next message: Scot Kreienkamp: "RE: [fw-wiz] Cisco PIX DHCP relay via IPSEC"
    To: "Vincent Martin" <>, <>
    Date: Wed, 22 Oct 2003 13:00:01 -0400

    Part of the issue is that the NAT device is changing the source ports on
    the VPN client, which causes problems for the PIX unless `isakmp
    nat-traversal` (which, as you said, is available in PIX OS 6.3) is set
    in the config. Depending on the NAT device, you may be able to
    statically map the source port based on the destination port and/or
    address. In some D-Link, Linksys, and probably other SOHO products,
    there is a feature called "IPSec Passthrough" that can be enabled. On a
    Linux or *BSD type firewall, you can do this manually. With pf, you
    want to use 'static-port'. Here is the nat rule from pf.conf on my
    OpenBSD firewall. The interface and network macros are defined
    elsewhere in the config, but you get the idea.

    nat on $ext_if from to $vpn_nets -> ($ext_if) static-port


    -----Original Message-----
    I am having some problems connecting to a pix firewall vpn connection
    the cisco client when the clients are behind a nat device to the
    Is there a way to let them connect without giving them a routable ip
    or modifying there routers at all? Have any of you ever had to get past
    this problem? Is it possible to get past this problem? I am new to pix
    I have done some research. It seems that we need version 6.3 of the OS
    that possibly doing nat traversal would help. All this is configured
    though. Any help would be great. Thanks a lot.
    firewall-wizards mailing list

  • Next message: Scot Kreienkamp: "RE: [fw-wiz] Cisco PIX DHCP relay via IPSEC"