cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
750
Views
0
Helpful
5
Replies

juniper vpn client behind a PIX 515e

j.bourque
Level 1
Level 1

our client has a pix 515E (6.3.4), there is a workstation trying to use a juniper VPN client to connect to a vendor network. The VPN client says it is connected but no vendor IP information is passed on to the local workstation. The client is requesting that ports 500 and 4500 be opened to support this connection. This doesn't seem correct to me. Any suggestions?

1 Accepted Solution

Accepted Solutions

Jason,

A workaround can be permitting tcp 4500, udp 500 esp and ah protocols to outside interface from any destination

access-list outside_access_in permit tcp any interface outside eq 4500

access-list outside_access_in permit udp any interface outside eq 500

access-list outside_access_in permit esp any interface outside

If doesnt work, upgrade your IOS to 7.x, ipsec-pass-through and PAT VPN configs can work at the same time.

Regards

View solution in original post

5 Replies 5

husycisco
Level 7
Level 7

Hello Jason,

I dont have any experience with Juniper, but I am assuming that Juniper VPN Client behind your PIX (in inside interface) is trying to establish an IPSEC VPN session with remote Juniper server.

By default, any traffic that is originated from your VPN client is permitted and no ports need to be opened, since it is locaten in higher security interface. But again assuming that this is an IPSEC connection, you may have to enable ipsec pass through in PIX. Try issuing the following

fixup protocol ipsec-pass-through

Regards

j.bourque
Level 1
Level 1

that command is not supported in the 6.3.4 IOS. Do you know what the command is for this version?

Try this

fixup protocol esp-ike

this firewall supports a remote access vpn connection. When I entered in the fixup protocol esp-ike I recieved this error message "

PAT for ESP cannot be enabled since ISAKMP is enabled. Please correct your configuration and re-issue the command!"

Jason,

A workaround can be permitting tcp 4500, udp 500 esp and ah protocols to outside interface from any destination

access-list outside_access_in permit tcp any interface outside eq 4500

access-list outside_access_in permit udp any interface outside eq 500

access-list outside_access_in permit esp any interface outside

If doesnt work, upgrade your IOS to 7.x, ipsec-pass-through and PAT VPN configs can work at the same time.

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: