Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Tekmazter, You began to give me an idea,Please review, and let me know

Status
Not open for further replies.
ajinc

ajinc

MIS
Aug 7, 2004
73
US
Hello All,
I'm Backkkk....

I still need some ideas on why my PIX is not allowing my vpn client to connect with an outside endpoint.
Has anyone out there ever have this issue.

Briefly

dsl modem <===PIX<===ethernet switch<===pc w / vpn client (safenet softremote & cisco 4.6)

My vpn clients can not connect to the vpn endpoint router when the pix is on the network.

dsl modem <=== ethernet switch <=== pc w / vpn client (safenet & cisco 4.6)

vpn clients connect.

I don't understand why the pix would stop my vpn client outbound I don't have any acl's defined to stop any outbound traffic.

All other Internet communications work fine, it's just this vpn client issue.

PLEASE I need any ideas I could try.. I have been off forum for a while trying to figure this out on my own, but I GIVE UP!!!!

Thanks for any ideas.
Tekmazter (IS/IT--Management) 7 Jun 05 17:29

I can tell you that in order to do this on my network, I have always had to create a special ACL to allow an internal user to use their VPN client (usually Checkpoint) over my pix to another network. I do believe that when the client goes out, on the return, there are additional ports that the remote host attempts to establish a connection on and these are dropped unless a permit ACL is put in place. At least that is my basic understanding of it.

Someone esle care to elaborate further? I'd much rather offer a more technical answer than the aformentioned.


ajinc (MIS) 8 Jun 05 14:10
Thanks for the reply Tekmazter,
Could you post the acl that you had to use to accomplish vpn client connectivity, so that I may see if I could adapt it to my situation?

Thanks for any help

 
Sort by date Sort by votes
The pix probably performs nat (or as Cisco would have it "pat"). ESP doesn't pat properly. You need to check whether your vpn client and the remote vpn endpoint support IpSec Nat-traversal or not.

If not, this won't work. If so, configure them to use it.

Cisco and m/soft clients tunnel ESP under UDP 4500 when performing Nat-t, in accordance with the proposed RFC.

Checkpoint, in their wisdom, tunnel it under UDP 2746. Checkpoint SecuRemote/SecureClient vpn clients also open various other ports, such as TCP264 to download a topology, UDP18234 for tunnel test traffic and so on.

CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Thanks a bunch for the tips, I'll see if it apply's to my situation.

Again many tahnks!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
332
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
781
nnaarrnn
nnaarrnn
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
818
Johnkite
Johnkite
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
651
Sparrow4
Sparrow4

Part and Inventory Search

Sponsor

Back
Top