Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN through PIX 515 not working

Status
Not open for further replies.

abuthemagician

IS-IT--Management
Joined
Nov 26, 2003
Messages
192
Location
US
We have a PIX 515 firewall setup with our own VPN setup. We have a partner who works in our building that needs to access a different VPN on a PIX firewall outside of our network. When we try to connect to that VPN inside our network, it always fails, and after using Cain & Abel to sniff the traffic for connection information, it comes up with nothing. However if try outside our network, i can connect to the VPN no problem. What should i do to my PIX to enable her to pass through?
 
If the user is using the Cisco Systems VPN Client software then you will probably have to open UDP port 10000 that's the default for IPSec (unless they are using IPSec over TCP) and you will have to open (I'm pretty sure it's) TCP (Not UDP) port 500 for IKE traffic.
 
and i would do that by using a fixup command right?
 
Yes, and I would suggest using Access Lists to control where that data is allowed to go - a specific network, or even better a specific client.
 
the easiest way to get this done is by using PPTP based VPNing

they would configure their end PIX as a PPTP server and you would need to configure the fixup pptp 1723 commands to allow gre and all that jazz through.

but if not...................
_______________________________________________
it's udp 500 for the ike negotiations and ip50 for esp

what is happening (probably) is your firewall is trying to nat the ipsec traffic on the way out of your network to get to the other site's firewall (and from their it all breaks). since the pix does not support transparent tunneling (you said that the remote site also has a PIX firewall, right?) you need to disable nat for the session for your folks to get to their folks (via vpn)


access-list 101 ip YOURNET 255.255.0.0 THEIRNET 255.255.0.0
nat (inside) 0 access-list 101

sysopt connection permit-ipsec
_____________________________________________

and they will need to do the same thing on their end

you just need to follow the steps in creating a LAN2LAN PIX based vpn (then ACL it down so that only the appropriate computers talk to the appropriate computers on their end).


-gC-
 
Is your user using Cisco vpn client or pptp? If Cisco vpn client, you will need the other site to enable nat travsal or the ipsec packets won't be able to come back
isakmp nat-traversal on the dest pix 515
 
the other end is all set up and i have asked the folks who monitor our firewall to fix this. Thanks for the help.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top