Pix 501 Help

[RDWILD]

I'm running a PIX 501 on my home network. The PIX has a dynamic outside address and a static inside address. Since the PIX has been put in place, I am unable to establish a VPN connection from my clients on my internal network to an external VPN server or Cisco VPN concentrator. What do I need to do to this PIX 501 to allow my VPN access through it?

Thanks in advance,

Ryan

 

[mtashiro]

Can you post the config? Also what kind of VPN client is trying to connect to the PIX?

 

[RDWILD]

I won't be home until this weekend, so I can't get the config until then, although, it's pretty standard out of the box except DHCP has been turned off, and the internal IP address and web host addresses have been changed. The VPN clients I need to use are a Microsoft PPTP client connecting to a Microsoft ISA VPN server, and the Cisco VPN client using IPSec. Neither of these is able to make a connection from my internal network since I put the PIX 501 in place. A friend suggested that maybe it's because I have a dynamic outside IP address, but this suggestion doesn't make much sense to me.

Thanks,

Ryan

 

[mtashiro]

Sounds like you just need to open the correct ports (PPTP, IPSec, etc.) Having a dynamic IP makes it a little more difficult but it can still be done.

I am assuming that you are trerminating the IPSec connections on the PIX itself?

 

[RDWILD]

No, our IPSec connections terminate on the client, not at the PIX.

 

[mtashiro]

Right but the client has to terminate a tunnel to something on the other end. Is it the PIX?

 

[RDWILD]

I goes from a client at my home, which is behind a 501 PIX, across the Internet, through a PIX 520 at work, and then terminates at a Cisco 3000 VPN concentrator. Our VPN connections have been working through the PIX 520 on the work end for quite some time. I'm just not sure what I need to open this up from the client endo on the 501.


Thanks,

Ryan

 

[mtashiro]

Ahhh, ok making more sense now. I assume that the PIX 501 is doing NAT? IF so, make sure you are using trasnparent tunneling using TCP with the Cisco client.

You shouldn't need to open any ports on the 501.

Another option is to create a site-to-site tunnel between the 501 and the concentrator.

 

[RDWILD]

Actually I'm using Port Address Translation (the default). Do I need to change this to NAT in order to function? To change to NAT, don't I need a static address on the outside of the PIX to use for this translation?

Using the transparent tunneling with the Cisco client shouldn't be too much of an issue. Are there any suggestions on what I may need to do to allow my Microsoft PPTP connection through this PIX?

 

[mtashiro]

PAT will work fine. That's what I use at home as well.

I will have to check to see if PPTP works properly with PAT/NAT. Does anyone else know?

 

[ScoreBo]

Why not use the Easy VPN functionality built into the PIX 501 and let your PIX501 tunnel to the 3000 at work? That is what I do to our 3030. Then there isn't a need for the client.

Not sure if this is an option, but it does work great.

 

[RDWILD]

That of course, would be fine for our Cisco connection at work. Actually after I upgraded my Cisco VPN client to 3.6.3C, I can also get it to work just fine across the PIX 501. It's the PPTP connection that I need to work now. And it doesn't seem to be playing very nice. I need to test all scenarios on this little box because we will be handing them out to a number of our executives... and you know what kind of crazy crap they're going to want to be running from behind these...