Solved: Allowing Cisco VPN client through PIX

IgorHamzic · ‎05-08-2007

Hi.I'm trying to allow Cisco VPN client from our company's LAN to remote resources.

There is PAT set up on the PIX and I will add the following lines to the ACL on the inside interface to allow access for the client:

permit tcp x.x.x.x y.y.y.y eq 50

permit tcp x.x.x.x y.y.y.y eq 51

permit udp x.x.x.x y.y.y.y eq 500

permit udp x.x.x.x y.y.y.y eq 4500

I haven't done anything like this before so I don't know if this will be enough to allow the client connection to remote resources.

Do I need to do anything else for this to work?

acomiskey · ‎05-08-2007

That should be good for the local pix, but make sure nat-traversal is enabled on remote device.

esp and ah are protocols, not ports. 50 and 51.

permit esp x.x.x.x y.y.y.y

permit ah x.x.x.x y.y.y.y

permit udp x.x.x.x y.y.y.y eq 500

permit udp x.x.x.x y.y.y.y eq 4500

acomiskey · ‎05-08-2007

That should be good for the local pix, but make sure nat-traversal is enabled on remote device.

esp and ah are protocols, not ports. 50 and 51.

permit esp x.x.x.x y.y.y.y

permit ah x.x.x.x y.y.y.y

permit udp x.x.x.x y.y.y.y eq 500

permit udp x.x.x.x y.y.y.y eq 4500

IgorHamzic · ‎05-08-2007

Thanks for the correction on the ACL.

The remote PIX isn't under my control so I'll pass that information to the other administrator.

Thanks for the fast reply.