Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting up 3.5 VPN client to PIX 515 1

Status
Not open for further replies.
bleddyn

bleddyn

Technical User
Jan 3, 2002
2
GB
Hi I seem to be having some problems setting up the 3.5 VPN client through to a PIX 515.

I have followed the details on the page


which talks about the 3000 client but I presume this is not that different from the 3.5 client setup? I used that config and can now connect but I have a few issues.

In all the CISCO samples they seem to use 10.X.X.X addresses but on my 515 I have three nics. The DMZ is in a 192.168.100.X address range and internaly I am in a 192.168.1.X range. So I created a group for the VPN clients in a 192.168.3.X range is that OK?

When I login it assigns a 192.168.3.X address to the client but when I try and do things I am seeing error messages when I try and access the DMZ.

Deny inbound tcp source outside 192.168.3.1/1123 dst dmz/Hostname/port

I added an access rule to avoid NAT saying 192.168.3.0 255.255.255.0 192.168.100.0 255.255.255.0 ,although when I see this in the PDM client it says its a NULL rule?

So what am I missing why are packets getting denied? I tried adding a specific rule for 192.168.3.1 and it still dropped packets I think its possibly me not understanding the setup ;)

COuld I have assigned some of my 192.168.1.X addresses to the group instead of using a 192.168.3.X group?

Sorry if this sounds a bit confusing its how I feel :)

Thanks Bleddyn
 
Sort by date Sort by votes
HI.

>>> So I created a group for the VPN clients in a 192.168.3.X range is that OK?

Yes, that should be OK.

>>> Deny inbound tcp source outside 192.168.3.1/1123 dst dmz/Hostname/port

Remember that VPN clients are considered coming from the outside interface of the pix, so they must have an access list statement like:
access-list .... permit ip 192.168.3.0 255.255.255.0 ...
*OR instead*
sysopt connection permit-ipsec

>>> I added an access rule to avoid NAT saying 192.168.3.0 255.255.255.0 192.168.100.0 255.255.255.0 ,although when I see this in the PDM client it says its a NULL rule?

PDM does not (yet?) support nat 0 nor other VPN related options, so it can only ignore them.


You can build a working VPN configuration with pixcript, then modify it manualy for your exact needs:

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
673
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
590
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
584
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
206
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
722
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top