>> The VPN client connects into the Pix when I "Enable Transparent
>> Tunneling IPsec over UDP)" but fails when using "Use IPSec over
>> TCP Port 443 or 10000".
>> Is TCP tunneling only available against an VPN 300x concentrator
>> or does the PIX in V6.3.(1) support this thru the isakmp nat-traversal
>> command ?
> I'm sorry, but even the latest Pix OS 6.3(2) supports only UDP
> tunneling with fixed port 4500 so you can't change the port.
> TCP tunneling is available only with a Cisco VPN Concentrator.
And to be more precise, IPSec over UDP on port 4500 is only available
when making VPN connections to the PIX when the VPN client is NAT'ed.
Why? Because the PIX only implements IETF NAT-Traversal which detects
the presense of NAT by sending NAT Discovery packets with hashes of the
source and destination IP address(es) and ports. Thus, if you make a
VPN connection to a PIX and the VPN client isn't NAT'ed, you won't get
IPSec over UDP on port 4500 (unless the PIX itself is NAT'ed, but that
is a strange case).
In the VPN Concentrator, IPSec over UDP (default is on port 10000 but
it can be changed), NAT-Traversal, and IPSec over TCP (can specify the
port) are independent options. Thus, if you enable both IPSec over UDP
(on default port of 10000) and NAT-Traversal in the VPN Concentrator,
non-NAT'ed remote clients will do IPSec over UDP on port 10000 and
NAT'ed clients VPN clients will do IPSec over UDP on port 4500.