VPN client through PIX to client site

pstebner1 · ‎06-05-2007

I have a PIX 515e running 6.3(5) with multiple site-to-site vpns configured and all is well. However when a user inside my LAN tries to launch a vpn client, whether it is Cisco IPSec or MS SSL, in order to connect to a client (these clients are not part of any of our site-to-site tunnels) they cannot get a connection.

My setup is lan ->pix->2691 router-> internet.

If I put my laptop in between the pix and the router with a public address I can get to any of these clients without any problems.

I have NAT-T enabled as well as sysopt connection permit-ipsec.

With Ethereal I see traffic going out but not coming back in.

Any help?

Thanks,

Paul

m.sir · ‎06-05-2007

did you permit UDP ports 500 and 4500 on the PIX???

Also check that in your VPN client (transport tab) is enabled transport tunneling (IPsec over UDP)

M.

pstebner1 · ‎06-06-2007

I did explicity permit those ports, though I never see them take hits in the access-list.

I found out that certain client VPN connections do work from inside the LAN here. It appears that the one specific client IPSec VPN problem is with a client who is not using NAT. I cannot turn off NAT-T here as I have site-to-site tunnels configured. Is there a way around this? Also, I still have issues with MS SSL VPNs.

Thanks,

Paul

pstebner1 · ‎06-06-2007

I just figured out how to do it - I had to use a static NAT statement so that I could bypass PAT and not be affected by NAT-T.

access-list VPNACCESS permit ip mylocalip 255.255.255.255 remoteclassB 255.255.0.0

static (inside,outside) 69.xx.yy.zzz access-list VPNACCESS

P