Connect to VPN from behind firewall

[mot98]

Hi All,

I have a user here on my network that needs to use the Cisco VPN client to connect to another location's PIX to gain access to some data.

The problem is I can't seem to configure it so that it can connect. I think it is the fact that my Firewall (PIX 515) is not letting the IP traffic back in .

Can someone point me in the right direction here.

Thanks,


mot98

"Do, or do not. There is no 'try'."
- Yoda ('The Empire Strikes Back')

 

[netwrkr]

It would be helpful to see your config. Absent that, here are some suggestions:

If your PIX isn't heavily loaded with connections turn debuggin on and watch the messages for errors i.e. denied packets etc

VPN will not work through PIX OS < 6.3 without an available NAT address -NOT- a PAT address. -- PAT = 1 IP for everyone to share - NAT = the user of the VPN would have his own routeable IP for exclusive use.


If you are going to be connecting frequently to the remote location it may make sense to setup a pix to pix ipsec tunnel which would be pretty transparent to the end user(s).

 

[yizhar]

HI.

Use syslog messages to see what the pix is blocking:

logging on
logging buffer 4
clear log
(Now try to initiate VPN connection)
show log

Logging to an external syslog server is recommended and will let you keep logging history.


The following commands will help you fix the problem:
static (inside,outside) g.g.g.g a.a.a.a
access-list fromoutside permit udp host f.f.f.f eq 500 host g.g.g.g eq 500
access-list fromoutside permit esp host f.f.f.f host g.g.g.g

fromoutside = the ACL bound to outside interface.
a.a.a.a = internal workstation
g.g.g.g = an unused ip address from your registered ip pool.
f.f.f.f = foreign (remote) pix firewall which you are trying to connect to.



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[flaz]

Yizhar,
When you say an unused IP from your pool you mean an unused Public IP address. Not an internal address. Correct?
Can you add more then one outside address to this Access list or is it one outside public address to one outside site for VPN?
Could I set up one machine on my local LAN behind my Firewall that can be used to connect to multiple sites with the VPN Client?
We support multiple clients with Cisco PIX at their sites and need a better connection then Dial-ups. I can get more work done from home were I have no PIX.
flaz

 

[tpulley]

Upgrading the image worked for me. Thanks netwrkr

 

[havanajoe]

Guys -

What do I need to configure to allow an inside host to connect to a remote Checkpoint firewall with SecuRemote? The client is sitting behind a 515 running 6.3.1 and is doing PAT. Is it possible? Netwrkr made it sound possible in 6.3.

Any help would be great.

Thanks

 

[yizhar]

HI.

Some answers to &quot;flaz&quot;:
> When you say an unused IP from your pool you mean an unused Public IP address. Not an internal address. Correct?
Yes. Correct.

> Can you add more then one outside address to this Access list or is it one outside public address to one outside site for VPN?
Yes, like any other access-list entry.
You can also use &quot;any&quot; instead of specific hosts.

> Could I set up one machine on my local LAN behind my Firewall that can be used to connect to multiple sites with the VPN Client?
Yes.

> We support multiple clients with Cisco PIX at their sites and need a better connection then Dial-ups. I can get more work done from home were I have no PIX.
I'm not sure what is the question here.
If I got the point, then the answer is that you can upgrade your pix to version 6.3 and enable &quot;nat traversal&quot; (also called &quot;transparent tunneling&quot, then your remote clients will be able to connect to your pix without modifications at their side or with minimal changes.
However nat traversal is a new feature of the pix and 6.3 is in early deployment. So a safer and more mature (but costly) solution is to use a Cisco VPN concentrator 3xxx at the main site.

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar