I recently had a PIX 515 set up to replace our old FW-1. Since then our clients can establish a VPN connection from outside our network, but we have other users inside the LAN that can't establish a VPN connection to their outside connections. In a nutshell, people can VPN into our LAN, but we can't VPN into theirs. Could this be a static NAT problem?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cisco VPN will come in but won't go out 1
- Thread starter chad4601
- Start date
ChicagoTechNet
MIS
quoted from go to
Can't VPN outside through Cisco PIX
Symptoms: You run MS VPN clients via Cisco PIX. You can establish a VPN connection from the Internet but can't establish VPN to outside. When attempting to connect to a VPN server on the outside of the PIX it returns error 721, the computer failed to respond.
Resolution: In order to PPTP through the PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723, for example, for pptp: conduit permit gre host x.x.x.197 any AND conduit permit tcp host x.x.x.197 eq 1723. For l2tp over ipsec: conduit permit esp host x.x.x.197 any, conduit permit udp host x.x.x.197 eq 1701 any AND conduit permit udp host x.x.x.197 eq 500 any.
Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at
Can't VPN outside through Cisco PIX
Symptoms: You run MS VPN clients via Cisco PIX. You can establish a VPN connection from the Internet but can't establish VPN to outside. When attempting to connect to a VPN server on the outside of the PIX it returns error 721, the computer failed to respond.
Resolution: In order to PPTP through the PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723, for example, for pptp: conduit permit gre host x.x.x.197 any AND conduit permit tcp host x.x.x.197 eq 1723. For l2tp over ipsec: conduit permit esp host x.x.x.197 any, conduit permit udp host x.x.x.197 eq 1701 any AND conduit permit udp host x.x.x.197 eq 500 any.
Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at
-
1
- #3
bwilliam13
IS-IT--Management
As of PIX OS 6.3(1), this is no longer an issue. Upgrade to at least 6.3(1), or yes, you will have to do a static one-to-one mapping of public-to-private IP address.
ChicagoTechNet
MIS
bwilliam,
thank you for the information.
Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at
thank you for the information.
Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at
- Status
Similar threads
- Locked
- Question