VPN Client 3.0.1 to the outside world

[TalentedFool]

Hi Guys and Gals!

can somebody tell me what I need to do to open up my firewall and router to be able to use the VPN Client software to connect to a VPN. I can use the software using a Dial-up connection but not via my firewall and router. I don't know much about either the PIX or router as we've only just started to use them so am at the start of a very long road!

Any help would be appreciated.

Thanks

~ Remember - Nothing is Fool Proof to a Talented Fool ~

 

[sunyasee]

You'll need to allow esp and udp port 500.

The conduits would be as follows...

conduit permit esp <source address> any
conduit permit udp <source address> eq 500 ----

Sunyasee B-)

 

[TalentedFool]

Thanks Sunyasee ... Still not fully there but its a start! ~ Remember - Nothing is Fool Proof to a Talented Fool ~

 

[yizhar]

HI.

What is the pix OS version?

I understand that you with that internal workstations will be able to VPN using Cisco VPN software to a remote server on the Internet. Right?

If so, then:

* You will need to use NAT or STATIC for the workstations that need VPN access. PAT will not work.
You might need more registered ip addresses for that if you don't have spare.

* The pix should be the only device that does NAT. If the router does NAT also, a network reconfiguration will be required.

* You will need to permit ISAKMP and ESP from VPN server to your internal network.
Here is an example using a.b.c.d for the address of remote VPN server:

access-list fromoutside permit udp host a.b.c.d eq 500 any eq 500
access-list fromoutside permit esp host a.b.c.d any
access-group fromoutside in interface outside

(If you already have access-list on &quot;outside&quot;, add these lines to existing access-list).

This may help:

http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:IPSec

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[TalentedFool]

OK guys,

the PIX is a 515E v 6.2(1) I think?

I get a problem when I try to add the ESP line to the access-list - SAys there's no such Port?

I think we're are getting through now though cause I get an error message of &quot;Remote Peer is no longer responding&quot; from the VPN Client.

I believe this is something to do with usernames/passwords?

Thanks ~ Remember - Nothing is Fool Proof to a Talented Fool ~

 

[yizhar]

HI.

ESP is not a port. It is an IP protocol.
See the sample that I wrote before.

You still need to give the user a &quot;full&quot; ip address.
PAT will not work.
PAT will not work.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[TalentedFool]

Ok guys,

Thanks for your help, What I ended up doing was putting a packet sniffer on and seeing what port I needed to open up on the firewall and router.

for your info I opened up UDP 500 (ISAKAMP) and 65214 which is what the Cisco VPN was using.

Thanks! ~ Remember - Nothing is Fool Proof to a Talented Fool ~

 

[br0ck]

I am trying to setup VPN access to a client with a Nortel VPN Gateway Using the Nortel Contivity VPN Client through a pix 506
I assume that I will need:
access-list fromoutside permit udp host a.b.c.d eq 500 any eq 500
access-list fromoutside permit esp host a.b.c.d any
in my config but is there anything I am missing?
Has anyone had experience with this kind of setup?
Brock D. Mowry,MCP
Hardware Specialist
iNECTA LLC
Miami, Fl