×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

PIX OS 6.3 pb with PAT

PIX OS 6.3 pb with PAT

PIX OS 6.3 pb with PAT

(OP)
Hi groupmembers,

I got a really big problem.
I have seen this both working on some PIX's and not working on others, all running 6.3.x

common is that I run interface PAT.
the PIX are internet gateways, so does not have any "strange" or unusual config, just plain global and Nat statement for outbound webaccess in HotSpot solutions.

Several users use Cisco VPN client towards VPN3000 headends.
UDP encap on both udp/10000 and 4500 (NAT-T)
The first user connects just fine.
And this is the real problem:
Whenever a second user tries to connect via VPN the PIx report Protmap translation creation failed !!
I can see in show xlate, that udp/500 is PAT'ed to ... udp/500 !! so no PAT oon low ports !
OMG this problem should have been solved in rel 6.2 !

What is going on here ?

I am very upset about this problem, as it should not have been there.
I have tried 6.3.3 and 6.3.4



RE: PIX OS 6.3 pb with PAT

do you need
fixup protocol esp-ike

RE: PIX OS 6.3 pb with PAT

(OP)
no - this is the old PAT problem, were the PIX doesnt do PAT on low port numbers.

It is udp500 ISAKMP not ESP, which is encapped...

RE: PIX OS 6.3 pb with PAT

(OP)
After getting a useless Cisco TAC engineer, I decided to go and downgrade the pix to latest GD version (6.2.4)
This works !!
Just to emfrase that they did fix it way back.

The strange thing then happends as I start flashing one version at a time. Here is a list of the order:

633 no go
634 no go
633_132 no go
624 GO
631 GO
633_109 GO (this is strange)
634 GO (!)

So I can only conclude that I have had a bad flash, that after several re-writes came back to order.

If I see this onve more I surely will go for a RMA.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close