×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN from behind a PIX

Unanswered Question
Jan 16th, 2007
User Badges:

Hello,


I have someone on our internal network that needs to vpn to a customer's site. I've set up a rules on the outside interface allowing pptp and gre from the server that the person is connecting to, to our internal network. The user is able to connect and authenticate, but after that they are not able to get to any of the servers on their customer's site.


The person is using the checkpoint vpn client to connect.


Any help is greatly appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lowen Thu, 01/18/2007 - 14:14
User Badges:

Just went through this process (except client was Cisco and firewall was FWSM context). Try enabling esp inbound:

access-list whatever extended permit esp host server any


or something like that. If that doesn't work, make sure you have an explicit "deny ip any any log" at the end of your inbound acl, have the level set correctly, and review the log. You should messages sourced from the server being denied, which will tell you what you need to allow.

scottosan Mon, 01/22/2007 - 09:50
User Badges:

Unless you are using IPSec over TCP, you will need a 1 for 1 NAT. Standard IPSec does not work properly through a PAT'ed address.

Actions

This Discussion