cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
880
Views
15
Helpful
3
Replies

Some command to make PIX 515 E to do "IPsec passthrough"?

fmt_cisco
Level 1
Level 1

Some routers sold out there, eg my LinkSys WRT54GC, has the "IPsec passthrough" integrated in it. This is very useful in the case when the remote firewall doesn't have the NAT traversal enabled (and it's difficult to ask that admin to enable it).

I'm wondering if there's any command to make a PIX (515E) to have this function. Anyone knows?

3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

I know those are nice features that are already enabled on linlsys devices, but these are meant to be more of a PnP devices where no other configuration is required by the end user when in comes to IPsec or PPTP.

On the other hand on PIX/ASA firewalls this is not the case or a IOS router Ipsec capable.

In these cases Ipsec VPN ports as well as MS PPTP ports if using microsoft vpn clients need to be explicitly be opened for clients inside be able to VPN outbound.

When using cisco vpn client from inside PIX/ASA to connect to an outside RA you simply need Ipsec pass through inspection configured in your global policy for code 7.x and above.

For PIX/ASA running again code 7.x or above inspection of Ipsec-pass-thru must be enabled in global policy.

i.e cisco vpn client

policy-map global_policy

class inspection_default

inspect ipsec-pass-thru

for PPTP

policy-map global_policy

class inspection_default

inspect PPTP

For PIX 6.x you need to open up Ipsec ports udp 500(isakmp), udp 4500(nat-t) and protocol 50 (esp) and apply the acl to PIX outside interface.

i.e

access-list 101 permit udp any any eq 500 log

access-list 101 permit udp any any eq 4500 log

access-list 101 permit esp any any log

Also it is recommended to enable nat traversal:

isakmp nat-traversal 20

The same principle applies on routes, just for reference , for example for MS PPTP it would required tcp 1732 and GRE protocol.

access-list 101 permit tcp any any eq 1723 log

access-list 101 permit gre any any log

Interface

ip access-group 101 in

or for both IPsec and PPPT

access-list 101 permit udp any any eq 500 log

access-list 101 permit udp any any eq 4500 log

access-list 101 permit esp any any log

access-list 101 permit tcp any any eq 1723 log

access-list 101 permit gre any any log

Interface

ip access-group 101 in

Here are couple of links for reference if you would like to read them.

PPTP through firewalls

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

IPsec pass through Cisco firewalls

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1522169

If you have any problems implementing it let us know, its prety much straight forward once you open up the required ports.

HTH

Bst Rgds

-Jorge

PLS Rate any helpful posts if it helps

Jorge Rodriguez

Thank you for your reply.

OK, those access lists for IPSec pass through worked partially! Is there any drawback/risk/conflict/potential problem if I use this method?

I mean, it's strange I wasn't able to find anything about this (for PIX firmware version 6) in Cisco's website. And normally, if something isn't documented, it's not recommended, right?

The fact is, I've added the access lists, established a VPN connection using one PC and tested "ping": it worked. But when I did the same test with another PC, that didn't work. That's why I said "partially".

On the other hand, are your access lists equivalent to using the following command?

fixup protocol esp-ike

(cf http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/fixup.html#wp1094669)

If yes, I understand why this method worked partially. But I have no idea how to terminate the VPN tunnel!? I mean, I've tried to reboot (reload) the Pix several times, but I still can't make it work again. Any idea?

And when you wrote "it is recommended to enable nat traversal", you mean in the remote firewall, right? Because I have no control in the remote firewall. In a recent matter, I've got difficulties to convince the admin of a remote firewall to add that command, and I try to figure out how to workaround the problem without asking his help.

Lastly, I've a got a site-to-site VPN tunnel established with another Pix in a remote office (in which I've of course total control). Would these access lists create some conflicts? I've done some tests and so far I haven't found any problem. But I'd still like to ask to make sure.

OK, those access lists for IPSec pass through worked partially! Is there any drawback/risk/conflict/potential problem if I use this method?

there could be one reason I can think of at this moument, if you are using PAT single public IP for all the inside users to VPN out you may run into problem if RA vpn server does not have NAT-T enable, you will then need a one-to-one NAT, could you confirm nat-t is enable or ask the other end to enable it.

On the other hand, are your access lists equivalent to using the following command?

fixup protocol esp-ike

Not at all, do NOT enable this feature, if you have L2L tunnels they will be brought down, with esp-ike enable you cannot terminate l2l vpns.

And when you wrote "it is recommended to enable nat traversal", you mean in the remote firewall, right? Because I have no control in the remote firewall. In a recent matter, I've got difficulties to convince the admin of a remote firewall to add that command, and I try to figure out how to workaround the problem without asking his help.

At both ends, in your case and from the sysmptoms you discribed that only one PC can VPN most likely the other end does not have NAT-T enabled, I enable my end Firewall for our RA vpn clients to connect to our network.

Where, when and why about NAT-T

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftipsnat.html#wp1039027

BTW, nothing wrong when asking for help, we all ask for help when in doubt at least I do.

Lastly, I've a got a site-to-site VPN tunnel established with another Pix in a remote office (in which I've of course total control). Would these access lists create some conflicts? I've done some tests and so far I haven't found any problem. But I'd still like to ask to make sure.

No it will not create conflits, when creating L2L vpns if you use PDM it generates crypto acls pertaining to L2L tunnel policies.

When creating acl for allowing Ipsec VPN ports or any other acls it should should be different from L2L acls.

HTH

Rgds

-Jorge

PLS rate any helpful post if it helped

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: