PIX IPsec passthrough using PAT with site-to-site VPN

[cbike]

Just wondering if anyone ran into this problem. I have a pix 515 with multiple site to site VPNs. I am using PAT for general office users. I tried to implement IPsec passthrough using the "fixup protocol esp-ike" command, but I get an error message saying that I need to turn of isakmp on my outside interface.

Since i have multiple site-to-site VPNs, can I get around this issue.

It works if I assign one-to-one NAT for people who need to VPN out.

thanks...
-Creighton

 

[themut]

Nope! The fixup protocol esp-ike doesn't work if there are site-to-site tunnels. You need to enable NAT-T on the PIX instead.

 

[cbike]

Sorry, but how do I enable NAT-T.
thanks...

-Creighton

 

[themut]

isakmp nat-traversal

 

[gman10]

Cbike,

How are you applying your PAT statement? Overload or some other way? Just curious, I am learning to use PAT as we speak and am alittle complexed over it.

gman

 

[cbike]

If you put only a single IP address in your global statement then the PIX will do PAT. Multiple IP addresses will cause the PIX to to one to one NAT and not allow for overloads. BTW, the overload is used with IOS NAT.