×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Configuring VPN pass through in PIX 501

Unanswered Question
Jun 21st, 2003
User Badges:

Need to configure the following:


PC with VPN client 3.5.2 --- PIX 501 (v 6.2) --- Internet --- VPN Concentrator 3000 - Company network


External interface of PIX has only 1 PPPoE address assigned by ISP.

Problem is that after tunnel is up, there is no traffic inbound from the company network.

This config works if I substitute the PIX with a Dlink 804V router. The difference is a line in the VPN client log:

22 10:10:45.820 06/22/03 Sev=Info/4 IPSEC/0x63700019

Activate outbound key with SPI=0xf7b90d23 for inbound key with SPI=0x51bb9760

The above line is missing in the PIX case.

I've setup NAT for the PIX and sysopt connection permit-ipsec

What could be the problem?

Is there any article showing how to setup pass through VPN access through a PIX 501?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.


Do you control the vpn 3000? I would enable the encapsulation through UDP feature - it works great behind all kinds of NAT devices that may or may not have some IPSec awareness that can get in the way. It is enabled by default on the cisco client software. I got similar behaviour to you when I disabled the use of this feature on my client when connecting with it from behind my 501 to my 3000 at work - an inbound tunnel works, but outbund does not. I don't think fixup protocol esp-ike works on pixen doing PAT, so that probably isn't an option.


kaioyang Sun, 06/22/2003 - 12:29
User Badges:

Thanks.


I don't control the VPN3k. However, I was told that transparent tunneling is enabled on UDP( and that's what it was at the client options). I am able to get the VPN tunnel to talk properly using the following PIX configuration, but only the designated can access Internet and VPN now, the other machines in the LAN can't do anything until I remove the static statement.

I read that in PIX 6.2 there is a limitation of 1 traversal VPN through the PIX but that's all I need. So, what can I do to allow the other PCs access Internet while I VPN back to work?


Thanks

Kai


PIX configuration:

access-list to_outside permit ip 192.168.1.0 255.255.255.0 any

access-list to_outside permit icmp 192.168.1.0 255.255.255.0 any

access-list from_work permit ip host 192.168.1.0 255.255.255.0

access-list from_work permit icmp any any time-exceeded

access-list from_work permit icmp any any echo-reply

mtu outside 1400

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.254 255.255.255.0

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) interface 255.255.255.255 0 0

access-group from_work in interface outside

access-group to_outside in interface inside

engel Sun, 06/22/2003 - 20:05
User Badges:

Hi,


You don`t need to define the static NAT. The global (outside) and nat (inside) combination will take care the IP address translation of the VPN client traffic (which are UDP port 500 and UDP port 10000 in case of IPSec over UDP encapsulation).

By the way, what version of the client do you use ?


Regards,

Engel



Actions

This Discussion