08-25-2008 03:12 PM
I just upgraded from a Pix 506e v6.3(5) to a PIX 515e with v8.0(3)in my home office. Unfortunately, I'm no longer able to use the Cisco VPN client to ping or RDP to remote locations. On my previous 506e, I was able to connect from my house going through the 506e and terminated a VPN session on the customer PIX or ASA devices. From there, I was able to ping or RDP to servers and workstations. On my previous 506e, I enabled esp-ike under the fixup protocols and used an ACL for esp, isakmp, and ipsec. Now that I have a 515e with 8.0(3), the esp-ike is no longer a supported command, therefore I added NAT-T, verified the VPN client transport tab was set to use IPSEC over UDP. I've tried everything I could read through on the support forums and still no luck. What am I missing? or is this impossible to go through a local PIX to a remote PIX using a VPN client? I do not want to use the Easy VPN options as I provide remote server support for over a dozen business customers. Any help would be greatly appreciated.
08-25-2008 05:13 PM
add this to your global polciy for IPsec pass through for ( Cisco VPN Client ) to be able to vpn outbound from behing the PIX/ASA applience.
IPsec-Cisco-VPN-CLIENT pass through
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect ipsec-pass-thru
ciscoasa(config-pmap-c)#exit
save config and try to vpn, let us know how it works out.
some additional info for ipsec pass through inspection.
http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/gl.html#wp1670077
Rgds
Jorge
08-25-2008 05:50 PM
Jorge,
Thanks for the info. I will try this out tonight and see if that fixes my issue.
Ian
08-26-2008 02:51 PM
Ian, are you all set with issue or do you still have problems.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: