Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX VPN Client through a PIX 1

Status
Not open for further replies.
Sep 10, 2002
46
GB
Hi I have a PIX515 which has a VPN to another site. However one user needs to use to the VPN client to connect to an extra site (a sister company). Other than this one user, the two companies have no other connection, so I like the idea of him just using the client. He can connect to their site when away from our office, but not when he's on our network behind our PIX. Is there a way to run the Cisco client from behind the our PIX to connect to the other company and if so, how do I go about it? Thanks for any help.
 
Yes there is. What kinf of connection is he using PPTP or IPSEC?
 
You will need to allow esp and udp 500 out and esp back in like so


access-list acl_inside permit esp host iii.iii.iii.iii host xxx.xxx.xxx.xxx
access-list acl_inside permit udp host iii.iii.iii.iii host xxx.xxx.xxx.xxx
access-list acl_outside permit esp host xxx.xxx.xxx.xxx any

You may also need nat traversal depending which version of OS you have.
 
Thanks, just so I get it right, host iii is the IP of the users machine!? (running XP) and the host xxx. will be that of the other site. The PIX version is 6.1
 
Yes,

This should eb access-list acl_inside permit udp host iii.iii.iii.iii host xxx.xxx.xxx.xxx eq 500
 
If you want to permit any packets that come from an IPSec tunnel without checking ACLs for the source and destination interfaces, use the "sysopt connection permit-ipsec" command in global configuration mode.
 
What about if you have a PPTP connection ? I have a similar problem, but the VPN connection is PPTp not IPSec !

Please assist.

 
You will need to ensure access for both tcp 1723 and IP protocol 47 (GRE) is allowed. You will also want to enable the pptp fixup which should automatically open up gre with pptp version 1.





fixup protocol pptp 1723
access-list acl_inside permit tcp host iii.iii.iii.iii host xxx.xxx.xxx.xxx eq 1723
 
I also have another problem, i am not able to use yahoo messenger as well !!
 
again you can use the sysopt connection permit-pptp to open up pptp vpn traffic
 
Not a 100% sure about this but doesnt the sysopt connection permit-pptp only apply to pptp connectiosn terminating at the Pix?


The Fixup for pptp is necessary because it will allow natted clients or patted to make pptp connections by dynamically opening up gre for the clients.
 
I also cannot use Yahoo messenger and MSN messenger. Can use Google Talk though...

Assistance please, what command i need to execute on the PIX to get the above and VPN working ?

 
Hi thanks to NetworkGhost for all his replies, but I've managed to get myself confused, with the commands. The pix throws up errors. "ERROR: Source address,mask <172.31.0.0,255.255.0.0> doesn't pair". This was because the pix errored with "no mask" orginally.

From the first line of NetworkGhost's config I entered:
access-list nameoflink permit esp myip mysubnet remote_pix_ip

This then throws up the error. The PIX version is 6.3, any help would be great.
 
Hi. Just an update. I can now get the VPN client software to connect to the other site, but once it does, I don't get any other response. i.e. I can't ping server IP's, browse the network etc. What do I need to do to generate a network login prompt for that network!? Thanks.
 
Your problem is most likely NAT Traversal. I should have seen this originally. What type of device is your client connecting to on your remote end?
 
Hi, at my end he's on a Win 2000 Server via a PIX 515 and the same set up at the other end. As I said, all I need is for him to validate at there end and access their drives. Thank you.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top