Stop PIX initiating tunnel

[relisys]

Evening all,

Got a small problem - any ideas appreciated.

Have a PIX connecting beyond a crappy DSL router (not my choice was imposed upon me). The router does port forwarding to the PIX which enables me to establish a tunnel between a Symantec SGS 5420 and the PIX 506e as the router won't handle a public IP address behind it. Nasty piece of DLink rubbish.

If the 5420 initiates the tunnel all works fine. However if the PIX initiates, it fails to connect the tunnel properly (strangely it allows PCs at a remote branch to use terminal server to the main office over the VPN but not access from the individual workstations to the main network).

Basically I get the 5420 to initiate and all works fine for a day and then the VPN stops working. I'm presuming that the tunnel requires rekeying (on both boxes set to 1 day) and that the PIX is trying to reestablish the connection.

Is there anyway to prevent the PIX from trying to establish to connection and leaving the 5420 to do it. Currently I'm changing the phase 1 ID on the 5420 to a temp id (dumps the tunnel) and then change it back which instantly reestablishes the tunnel and all is fine and dandy for another day.

Any ideas? Would be most appreciated!

Cheers!

Relisys

 

[dopehead]

Well, if you were to set the SA lifetime much higher you would not need to rekey so often, if this is indeed the problem you are having. If it is rekeying, then it should be a quite similar time in between the tunnel going down.

But you should really try to make a one-to-one static nat for the pix in the isp router instead of just port forwarding.
Also enable nat-traversal, works better since this is an industry standard for ipsec over nat.

Jan


Network Systems Engineer
CCNA/CQS/CCSP/Infosec