I found this info under 3.6 client
Allowing the VPN Client to Work Through ESP-Aware NAT/Firewalls When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the NAT/Firewall device may be closed due to the VPN Client's keepalive implementation, called DPD (Dead Peer Detection). When a Client is idle, it does not send a keepalive until it sends data and gets no response. To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the following parameter and setting to the [Main] section of any *.pcf (profile configuration file) for the affected connection profile. ForceKeepAlives=1 This parameter enables IKE and ESP keepalives for the connection at approximately 20 second intervals. For more information, see "Connection Profile Configuration Parameters" in the VPN Client Administrator > > From: "Kevin O'Gilvie" > Date: 2003/03/05 Wed PM 11:16:52 EST > To: [EMAIL PROTECTED] > Subject: RE: VPN Client behind PIX [7:64358] > > I couldnt have said it better myself!! > > >From: "brett spunt" > >To: "'Kevin O'Gilvie'" , > >Subject: RE: VPN Client behind PIX [7:64358] > >Date: Wed, 5 Mar 2003 19:17:26 -0800 > > > >It's not possible, and here's why. The pix Vpn only supports IPSEC over > >UDP. Ipsec over UDP is NOT supported when sitting behind a stateful > >firewall (such as the pix). You need to use Ipsec over TCP if using the > >vpn client sitting behind a pix, or like stated before, you could create > >a "site to site" VPN, setting up to peer with the pix at your work. The > >reason a concentrator will work, is it's supports ipsec over tcp > >connections, in addition to standard ipsec, and ipsec over UDP...... > > > >HTH, > > > >Brett Michael Spunt > >CCNP,CIPT,MCSE > >Computer Network Innovations > >[EMAIL PROTECTED] > > > >-----Original Message----- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > >Kevin O'Gilvie > >Sent: Tuesday, March 04, 2003 7:23 PM > >To: [EMAIL PROTECTED] > >Subject: Re: VPN Client behind PIX [7:64358] > > > >I am assuming he is behind a cable modem or dsl. > >If so, even cisco says this is not possible. > >If someone has this working pleas advise.. > > > > > > >From: "Greg Owens" > > >Reply-To: "Greg Owens" > > >To: [EMAIL PROTECTED] > > >Subject: Re: VPN Client behind PIX [7:64358] > > >Date: Tue, 4 Mar 2003 19:09:16 GMT > > > > > >You just need to open the ports you are using, ie 500, 47 10000 > > > > > > > > From: "Steve Smith" > > > > Date: 2003/03/04 Tue AM 11:15:21 EST > > > > To: [EMAIL PROTECTED] > > > > Subject: VPN Client behind PIX [7:64358] > > > > > > > > OK gang here is the scenario. We have a PIX at work running VPN. I > >have > > > > a 515 at home. Before I put the 515 at home in I could use the VPN > > > > client to connect to work. Now I can not. I remember a year or so > >back > > > > reading a Cisco article about this and that you had to use a certain > >IP > > > > range on the remote (my house) network. Does anyone know anything > >about > > > > this? Any suggestions? > > > > > > > > Thanks! > > > > > > > > Steve Smith > > > > Enterprise Engineer > > > > 901-758-8179 ext. 108 > > > > TEKSELL > > > > [EMAIL PROTECTED] > > >Greg Owens > > >202-398-2552 > >_________________________________________________________________ > >Protect your PC - get McAfee.com VirusScan Online > >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > _________________________________________________________________ > Tired of spam? Get advanced junk mail protection with MSN 8. > http://join.msn.com/?page=features/junkmail Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64602&t=64358 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]