Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

UDP traffic one with PIX VPN with a client side firewall

Status
Not open for further replies.
gregws

gregws

Programmer
Nov 27, 2002
5
US


We are experiencing one way UPD (re. SIP) traffic with a VPN client. The traffic coming from the PIX firewall is not reaching the client IF there is a client side firewall in the way. Outbound (from the VPN client works fine). It is confusing because one would think that encapsulation would allow the traffic to pass through. If we bypass the client side firewall everything works great. If has failed with three different (e.g. Linksys) firewalls.

Thanks.

 
Sort by date Sort by votes
HI.

The SIP protocol is sensitive to NAT and PAT, and requires some manipulation.
The problems at the client side can be for 2 reasons:
1) The client side firewall performs NAT or PAT, and does not translate the SIP traffic properly.
2) The client side firewall does not inspect SIP packets and does not open the required ports for return traffic for that reason.
But the problem could also be at the pix side (or both).

Please provide more details, and another explanation. I don't know if I understood your scenario.
What is the pix OS version?
The latest (ver 6.2x) fixes some bugs with SIP handling at the pix.

At the pix, you can get more info using syslog messages and debug commands, for example:

debug sip
terminal monitor

Read the SIP related RFC documents, it will help you.
And take a look here about the pix fixup command:

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Ping works fine. If there is no client side firewall the application works beautifully. It does seem that the firewall is stopping inbound UDP or SIP traffic. I confuses me because, I would have guessed that the encapsulation of the VPN would 'hide' the packet type.

Greg
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
720
Sameer258
Sameer258
jsaad
  • Locked
  • Question
udp timer
Replies
0
Views
441
jsaad
jsaad
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
605
intel233
intel233
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
201
hairlessupportmonkey
hairlessupportmonkey
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
745
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top