11-18-2008 06:46 AM - edited 03-11-2019 07:14 AM
our client has a pix 515E (6.3.4), there is a workstation trying to use a juniper VPN client to connect to a vendor network. The VPN client says it is connected but no vendor IP information is passed on to the local workstation. The client is requesting that ports 500 and 4500 be opened to support this connection. This doesn't seem correct to me. Any suggestions?
Solved! Go to Solution.
11-18-2008 09:09 AM
Jason,
A workaround can be permitting tcp 4500, udp 500 esp and ah protocols to outside interface from any destination
access-list outside_access_in permit tcp any interface outside eq 4500
access-list outside_access_in permit udp any interface outside eq 500
access-list outside_access_in permit esp any interface outside
If doesnt work, upgrade your IOS to 7.x, ipsec-pass-through and PAT VPN configs can work at the same time.
Regards
11-18-2008 07:22 AM
Hello Jason,
I dont have any experience with Juniper, but I am assuming that Juniper VPN Client behind your PIX (in inside interface) is trying to establish an IPSEC VPN session with remote Juniper server.
By default, any traffic that is originated from your VPN client is permitted and no ports need to be opened, since it is locaten in higher security interface. But again assuming that this is an IPSEC connection, you may have to enable ipsec pass through in PIX. Try issuing the following
fixup protocol ipsec-pass-through
Regards
11-18-2008 07:41 AM
that command is not supported in the 6.3.4 IOS. Do you know what the command is for this version?
11-18-2008 08:35 AM
Try this
fixup protocol esp-ike
11-18-2008 08:38 AM
this firewall supports a remote access vpn connection. When I entered in the fixup protocol esp-ike I recieved this error message "
PAT for ESP cannot be enabled since ISAKMP is enabled. Please correct your configuration and re-issue the command!"
11-18-2008 09:09 AM
Jason,
A workaround can be permitting tcp 4500, udp 500 esp and ah protocols to outside interface from any destination
access-list outside_access_in permit tcp any interface outside eq 4500
access-list outside_access_in permit udp any interface outside eq 500
access-list outside_access_in permit esp any interface outside
If doesnt work, upgrade your IOS to 7.x, ipsec-pass-through and PAT VPN configs can work at the same time.
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: