Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Connecting to VPN throught the PIX

Status
Not open for further replies.
bwoodley

bwoodley

IS-IT--Management
Apr 2, 2003
20
US
Ok, wasnt sure if this had already been discussed, but i'm having an issue...

We have a PIX 515, ver 6.2 OS

One of our remote customers has a VPN that we access with the Cisco VPN Dialer 3.6. Everything works fine if the employees use a dial up account and tell the vpn client to connect with it. why use a modem when you have T lines... so what happens when the people use the vpn over the PIX is this... if they communicate on a 1 to 1 basis with no PAT, and I create an access rule allowing all traffice from the vpn to come in then it works fine. But if i access it using the normal NAT (everyone coming out of one IP) then it will connect but not allow any traffice to pass through the connection. All they need is esentially a telnet session to run throught the VPN. Do I NEED to set up an outside accesable address for the people here? or can I get by with changing something in the PIX that wil allow the communication to work with the NAT/PAT? The only problem is that we have a small public pool and I have no way of sharing 1 ip address with 10+ people who use the clients VPN. Modem line bills are starting to be a problem.

Thanks for any help in advance!
 
Sort by date Sort by votes
HI.

I understand that the VPN server is at the remote side, managed by the "remote customer".
> We have a PIX 515, ver 6.2 OS
I understand that this pix as at your side, and is not the VPN server in question, right?
What VPN device is used as the VPN server? Is it a pix? What OS version?

You have several possible solutions - here are some:

* You can ask the remote client to create an access-list which will allow SSH from your network to a host at their side. This can also be done with Telnet but then there is no encryption.

* If the VPN server is a pix, ask the remote customer to upgrade it to version 6.3 which supports "NAT traversal":

* You can configure a single host at your site with VPN client, to act as a proxy/nat/terminal server, so it will connect to the VPN on behalf of the other clients.

* You can purchase a Cisco 3002 VPN hardware client to act as proxy for VPN connections. A pix501 with "Easy VPN" can also do this.

There are other possible variations and solutions...



Yizhar Hurwitz
 
Upvote 0 Downvote
What would be the easiest way to setup the relay for the one vpn client for all to access?
 
Upvote 0 Downvote
use the following config segment. We are using it and it works.

conduit permit udp host <internal-station-ip> any eq isakmp
conduit permit esp host <internal-station-ip> any
conduit permit gre host <internal-station-ip> any
 
Upvote 0 Downvote
Sounds like you should configure NAT-T (nat traversal) this should be set up on the client and the concentrator. NAT-T wraps up all the ipsec in a TCP or UDP wrapper so you can use pat. It depends on what you are terminating the clients on (and the software version)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
255
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
272
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
266
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
117
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
335
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top