Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Outbound VPN through PIX

Status
Not open for further replies.
robcom99

robcom99

IS-IT--Management
Joined
Apr 3, 2003
Messages
2
Location
US
We sometimes have outside vendors come into our site and require VPN access to their own sites. We have been unsuccessful in allowing such outbound VPN traffic through our PIX 515 even with allowing ANY ANY as our first rule. Our own inbound VPN traffic works fine. Is there a simple explanation for this?
 
Sort by date Sort by votes
Are they trying IPSec? PPTP? L2TP? That might make a difference.

 
Upvote 0 Downvote
We are very new to the PIX and have just gotten it to allow our regular traffic to pass, so please excuse our inexperience.

CChipman, are you saying that the PIX might deny a connection that is using IPsec, PPTP, L2PT, unless we specifically allow it even though we have created a rule that allows traffic from ANY using ANY protocol? I am not doubting you, because even with the ANY ANY rule, they could not connect; so your thought seems logical. How can I check the PIX to see if it allows IPsec, PPTP or L2PT?
 
Upvote 0 Downvote
I believe the Pix won't allow GRE (protocol 47, I think) going out if it's doing PAT. You need to have a static assigned to the internal IP address, and then allow GRE to any from that address.

Here's how you'd do it using conduits (sorry, still using them here):

conduit permit gre host (EXTERNAL IP ADDRESS OF THE COMPUTER) any

I'd tried to allow anyone in my inside zone to make VPN connections to outside networks, but unless they have a static external IP address assigned to them, it won't work.

Hope this helps.
 
Upvote 0 Downvote
Also, I had another question. Whats the IP address on the outside of the router? We experienced a lot of trouble when we discovered that one company was giving users non-routeable addresses (172.16.X.X) for their DSL modems, and then they were using NAT on the inside with 10.0.0.0. Apparently, their hardware was allowing them to actually route the 172 addresses, which technically you can't do, and our Pix was rejecting.
 
Upvote 0 Downvote
HI.

For VPN to work through the pix (both for PPTP and IPSEC), you need STATIC and ACCESS-LIST.
Static is a problem because you use PAT normally, however you can configure a STATIC mapping for an unused ip address, and instruct the visitors to use that address.
The access-list for PPTP should allow GRE (IP protocol 47) from outside. Something like:
access-list fromoutside permit gre any any
And for IPSEC it's:
access-list fromoutside permit udp any any eq 500
access-list fromoutside permit esp any any

But the best solution, is to let those visitors connect outside of the firewall. You use a hub/swtich for the pix outside - router ethernet connection, and give those visitors an unused registered ip address (can be deployed using DHCP on the router).
If you have a DMZ interface on the pix, you can use that instead.
This will work for those visitors, and is safer for your network security.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233
ISDPCMAN
  • Locked
  • Question Question
RDP fails over VPN
Replies
1
Views
493
gkittelson
gkittelson
Shmid
  • Locked
  • Question Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
406
WhosYourDiffie
WhosYourDiffie
ChrisFairley
  • Locked
  • Question Question
Downloads failing through ASA 5520
Replies
1
Views
327
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top