PIX 525 protocol 50 session issue

Unanswered Question
Aug 23rd, 2007

Am attempting to have a user build a VPN related session, from a node on the inside of my FW, to a VPN host at AT&T. I see the following session build on the FW:

<166>Aug 23 2007 08:38:13: %PIX-6-302015: Built outbound UDP connection 140948597 for outside:12.65.185.2/500 (12.65.185.2/500) to inside:172.17.28.169/1019 (192.77.126.50/663) (bhuffman)

<166>Aug 23 2007 08:40:17: %PIX-6-302016: Teardown UDP connection 140948597 for outside:12.65.185.2/500 to inside:172.17.28.169/1019 duration 0:02:03 bytes 3917 (bhuffman)

Yet, when what appears to be ths return session attampts to connect across my outside interface, I see the following:

<163>Aug 23 2007 08:40:14: %PIX-3-106011: Deny inbound (No xlate) protocol 50 src outside:12.65.185.2 dst outside:192.77.126.50

Am I missing something on my PIX FW config to allow vpn related traffic? FYI, this user is in a security group associated with an access-list on the firewall that allows ip any any outbound.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gerheauserm Thu, 08/23/2007 - 09:25

Am running 6.3(1), not exactly sure what you mean by Ipsec inspection. Under what menu option, or CLI command do I find this?

BTW, super appreciate the assistance.

srue Thu, 08/23/2007 - 09:31

fixup protocol esp-ike

don't use this if you have VPN's terminated on the firewall though. You will then have to allow ipsec traffic into the firewall from the outside...udp 500 and udp 4500.

Actions

This Discussion