Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Tunnels through a PIX 515 with 6.3

Status
Not open for further replies.
KeithPasquill

KeithPasquill

IS-IT--Management
Feb 27, 2001
7
AU
The inside network currently has a number of PC's that have been allocated static IP's and need to communicate via the PIX to the outside to establish a VPN connection with a remote host. Normally we would use dynamic IP address NAT for all of our external comms but this will not work. If we use static IP address NAT for inside clients going to the outside then this works OK.

E.g. 10.10.100.20 -> WW.XX.YY.ZZ1 to ZZ2 range
(inside) (outside)
THIS DOES NOT WORK !!

but
10.10.100.20 -> WW.XX.YY.ZZ1
(inside) (outside)
WORKS OK!

Obviously we cannot allocate a single IP address for every PC on the inside which needs to access the VPN and know there must be a way round this.

Any help would be very much appreciated.
 
Sort by date Sort by votes
You never mentioned the type of VPN so I am assuming it is IPSec.
You need to enable NAT Traversal (NAT-T) on the headend device. The problem is the NAT function doesn't handle very well the ESP protocol. When you enable NAT-T on the headend device, the VPN client will negotiate the tunnel using NAT-T, this will cause both the headend device and the VPN client to encapsulate the ESP protocol on a UDP packet, therefore solving the issue with ESP and NAT.
If the headend device is another PIX, the command needed is:

isakmp nat-traversal <keepalive>
 
Upvote 0 Downvote
Sorry but the VPN that is being used is PPTP

The PIX has the entries:-
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

already defined, so as far as we can see NAT-T is enabled.
 
Upvote 0 Downvote
If you have those entries then your PIX is configured for IPSec. PPTP configuration has the following commands amongst others:

vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ...
 
Upvote 0 Downvote
Yep we have these as well...
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local ticketing
vpdn group PPTP-VPDN-GROUP client configuration dns hermes
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local

As you can tell I am relatively new to the PIX so welcome any suggestions and questions.
 
Upvote 0 Downvote
If you are running PIX 6.3.X then you can configure the following fixup on the pix:

fixup protocol pptp 1723

This fixup allows you to establish a PPTP tunnel with dynamic NAT.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
584
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
521
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
630
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
126
WhosYourDiffie
WhosYourDiffie
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
183
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top