Cisco PIX VPN + Port Forwarding

[deafsquad]

Hello,

if i set up a VPN Tunnel without portforwarding with a static porttranslation the VPN Tunnel works. But after adding a static rule
static (inside,outside) tcp interface 3389 xxx 3389 netmask 255.255.255.255 0 0 and rebooting the pix the udp informations for the tunnel seem to go directly to the static client xxx and there is no way to build up the tunnel. WHY??? How can i make a PAT forward and still be able to open a vpn tunnel?

 

[themut]

What kind of VPN? What is your static translation for VPN?

 

[deafsquad]

normal ipsec tunnel no static translation needed for it, the problem is that the client behind the pix has to be accessible from vpn and from the internet through the portforwarding.

 

[themut]

Ok... You need to run code 6.3.X and enable "fixup protocol esp-ike", that should take care of the PAT issue for IPSec. However, this solution would screw things up if you have an IPSec LAN-to-LAN tunnel configured on the PIX. Another alternative is to enable NAT-T (NAT Traversal) on the head-end device, with this solution you don't have to do anything on the PIX since the VPN client will use NAT-T and therefore encapsulate the ESP protocol on a UDP packet.