VPN Through Pix (Not using local pix)

[EgWeb]

Hello,

I have a Pix at my site, and a pix at the customers site. The customers pix is setup with an ipsec vpn connection. I can't seem to use Cisco Client at my site, to connect to the customers pix. I think it has something to do with my pix.

At home, everything works fine, I can connect to the customer without problem.

I'm sure this is a quick fix, anyone?

Thanks,
Andy

 

[lgarner]

You might try "sysopt connection permit-ipsec" on your firewall. I haven't seen a reference to this relating to traffic passing through the Pix, only to/from the Pix, but it might work.

Also look at

http://www.cisco.com/en/US/products..._guide_chapter09186a008017278b.html#wp1094669

"fixup protocol esp-ike" looks like it might solve the issue.

 

[chicocouk]

I think you'll actually need to configure support for nat traversal on the remote pix, which is done by entering isakmp nat-traversal into the config on their pix. Your client will then tunnel ESP traffic under udp port 4500. Assuming your outbound access lists allow through udp 500 for phase 1 and udp 4500 for phase 2 outbound, you should be okay.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[bigmac13]

I'm having a similar problem, but I can't get VPN to the customer's VPN from outside our PIX. I was told all we'd have to do is open up UDP port 5000 and tcp/udp 50 & 51. Is there anything else I need to do?

Here's what I have on my PIX:

conduit permit udp host xxx.xxx.xxx.xxx eq isakmp any (hitcnt=4)
conduit permit tcp host xxx.xxx.xxx.xxx range 50 51 any (hitcnt=0)
conduit permit udp host xxx.xxx.xxx.xxx range 50 51 any (hitcnt=0)

 

[danr19]

Dear Bigmac,

I think you should write:

conduit permit udp host xxx.xxx.xxx.xxx eq isakmp any
conduit permit ip host xxx.xxx.xxx.xxx range 50 51 any

Because IPSEC uses IP ports 50 and 51.

Regards,

danr19

 

[lgarner]

IPSec uses protocols 50 and 51. Try

conduit permit 50 host xxx.xxx.xxx.xxx any
conduit permit 51 host xxx.xxx.xxx.xxx any

 

[bigmac13]

danr19-

That's what I originally tried to put into the PIX, but for some reason it wouldn't accept the following statement, which is why I put it in as separate tcp and udp statements.

conduit permit ip host xxx.xxx.xxx.xxx range 50 51 any

lgarner-

I've tried replacing my tcp/udp statements for ports 50 and 51 with the statements you've recommended, and the PIX accepted them. Haven't had a chance to have someone test it from the outside yet though...

Thanks to both of you guys!

 

[Evilnoodle]

Had a similar problem to this using a pptp connection to break out to the internet from behind my pix to a third party. You could try allowing GRE traffic from the remote site to local. I will post what I did on my pix this evening.

 

[Evilnoodle]

Tested it on my pix and can connect to VPN Client on the outside of my pix its all down to the pix trying to deal with the GRE traffic instead of pushing throught to your machine.


First create an access list inbound on the outside interface and add the following
access-list out2in permit gre any host 82.133.x.x
Then add a static mapping from outside to inside to the laptop.
static (inside,outside) 82.133.x.x 192.168.x.x netmask 255.255.255.255 0 0

This should sort you out.