Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN through PIX 515 not working

Status
Not open for further replies.
abuthemagician

abuthemagician

IS-IT--Management
Joined
Nov 26, 2003
Messages
192
Location
US
We have a PIX 515 firewall setup with our own VPN setup. We have a partner who works in our building that needs to access a different VPN on a PIX firewall outside of our network. When we try to connect to that VPN inside our network, it always fails, and after using Cain & Abel to sniff the traffic for connection information, it comes up with nothing. However if try outside our network, i can connect to the VPN no problem. What should i do to my PIX to enable her to pass through?
 
Sort by date Sort by votes
If the user is using the Cisco Systems VPN Client software then you will probably have to open UDP port 10000 that's the default for IPSec (unless they are using IPSec over TCP) and you will have to open (I'm pretty sure it's) TCP (Not UDP) port 500 for IKE traffic.
 
Upvote 0 Downvote
and i would do that by using a fixup command right?
 
Upvote 0 Downvote
Yes, and I would suggest using Access Lists to control where that data is allowed to go - a specific network, or even better a specific client.
 
Upvote 0 Downvote
the easiest way to get this done is by using PPTP based VPNing

they would configure their end PIX as a PPTP server and you would need to configure the fixup pptp 1723 commands to allow gre and all that jazz through.

but if not...................
_______________________________________________
it's udp 500 for the ike negotiations and ip50 for esp

what is happening (probably) is your firewall is trying to nat the ipsec traffic on the way out of your network to get to the other site's firewall (and from their it all breaks). since the pix does not support transparent tunneling (you said that the remote site also has a PIX firewall, right?) you need to disable nat for the session for your folks to get to their folks (via vpn)


access-list 101 ip YOURNET 255.255.0.0 THEIRNET 255.255.0.0
nat (inside) 0 access-list 101

sysopt connection permit-ipsec
_____________________________________________

and they will need to do the same thing on their end

you just need to follow the steps in creating a LAN2LAN PIX based vpn (then ACL it down so that only the appropriate computers talk to the appropriate computers on their end).


-gC-
 
Upvote 0 Downvote
Is your user using Cisco vpn client or pptp? If Cisco vpn client, you will need the other site to enable nat travsal or the ipsec packets won't be able to come back
isakmp nat-traversal on the dest pix 515
 
Upvote 0 Downvote
the other end is all set up and i have asked the folks who monitor our firewall to fix this. Thanks for the help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
322
quazimotto
quazimotto
bfordz
  • Locked
  • Question Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
361
bfordz
bfordz
telemarksman
  • Locked
  • Question Question
ATA Cisco SPA122 not triggering single line courtesy phone ringer
Replies
0
Views
309
telemarksman
telemarksman
steel_bender
  • Locked
  • Question Question
Allow HTTPS TCP Traffic through ASA5525
Replies
1
Views
381
Mogles49
Mogles49
serge9
  • Locked
  • Question Question
Cisco GUI on cme stop working
Replies
2
Views
522
serge9
serge9

Part and Inventory Search

Sponsor

Back
Top