Allowing Cisco VPN client through PIX

[DanielBowen]

Hi there,

I have a Win2000 server running Cisco VPN client trying to connect to a remote sites Cisco VPN server. I have located a Cisco PIX 515 but, although the VPN gets established, I cannot do anything after that (for ex, cannot ping their local addresses or access their servers)

Can anyone tell me exactly what I would need to configure on the PIX for this to work?

Thanks in advance

Daniel,

 

[RJ45100BT]

Daniel,


#1. make sure you are not NAT'ng any of your vpn traffic. you should have a NONAT access list that you can use for your VPN traffic.
something like
nat(outside)0 named-nonat-list


#2. make sure there is not a translation in effect for the ip your client is getting from the vpn pool, or if it is static make sure it is not being used.

#3. make sure your pix is allowing IPSEC/ISAKMP both in and outside.
sysopt connection permit-ipsec

That's all i can think of with limited info.

 

[yizhar]

HI.

Do you have a static mapped ip address for the W2K server?
It should be "STATIC" with a registered IP address which is not the one used by the pix itself or something else.

You will need to permit the following traffic on the outside interface:

access-list fromoutside permit udp host VPNSERVER host W2KSERVER eq 500
access-list fromoutside permit esp host VPNSERVER host W2KSERVER

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar