Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Implementing VPNs on Cisco PIX Firewall with Cisco expert Aamir Waheed. Aamir is a Senior Customer Support Engineer for the Cisco Technical Assistance Center (TAC). He is responsible for the issues pertaining to VPN's in general or any specific virtual private networks. Feel free to post any questions relating Implementing VPNs on Cisco PIX Firewall. Remember to use the rating system to let Aamir know if you’ve received an adequate response.

Aamir might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through April 25. Visit this forum often to view responses to your questions and the questions of other community members.

102 REPLIES
New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Aamir,

I am in the process of setting up a VPN using our Cisco 3660 w/ an AIM-VPN hardware encryption/decryption installed. We do not run a PIX firewall, but generally speaking, are the addresses you provide for the pool of addresses internal or external to your network? We do NATing on our Firewall which is directly connected to our 3660, and I am trying to figure out the preferred way / best way to allow users of the VPN to enter our network. If there is any documentation on this, please provide me a link, if possible, to see the Router Config.

Thanks,

Scott

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Scott,

Thanks for your question. VPN clients are usually assigned inside/internal network addresses, as the clients access internal resources by VPN'ing into VPN devices.

Additionally you can take a look at the following VPN client to head-end devices configurations to understand this better:

http://www.cisco.com/warp/public/480/ipsec-ios-tacacs.html

http://www.cisco.com/warp/public/110/pix3000.html

http://www.cisco.com/warp/public/471/ipsecrouter_vpn.html

Hope this helps,

Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Aamir,

Thank you for your quick response. I guess my biggest issue is the following. My router (as usual) sits outside the firewall, thus it has an external IP address connecting it to the FW. Our Firewall then does the NATing for the contents inside. Most of the examples that have been provided, which are very good, avoid this by letting the router do the NATing. This is my predicament. In an ideal world I'd have a test bed to run this, but it's difficult to justify buying a second 3660 and a second T3 for testing only. :) If it is pretty standard practice to allow the router to do NATing and having the only addressed outside connection, I might contemplate trying that. If NATing these addresses on the FW would solve the problem, that would be the way to go for us. I need to keep the FW in the mix to try and control the contents going across the VPN instead of making horrendous ACL on the router.

Thanks for your help and insight.

-Scott

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Scott,

You are absolutely correct in your implementation. The Firewall is probably a better option to do that NAT although you can have it on the Router aswell. For example, the PIX firewall can PAT around 65000 hosts on a single address and can handle those without any problems.

You can look through some of the following links with NAT being done on the PIX:

http://www.cisco.com/warp/public/110/dynamicpix.html

http://www.cisco.com/warp/public/707/vpn_pix_private.html

Hope this helps,

Regards,

Aamir Waheed

Cisco Systems, Inc.

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi!

I have a problem. We are using a pix 501 6.3(1) and a 3005 using easy vpn. Everything works fine, all communication is working - But we can't get the dhcprelay function to work.

Config as follows:

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXX encrypted

passwd XXXXX encrypted

hostname FW

domain-name alcro-beckers.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 195.100.182.124 255.255.255.248

ip address inside 137.33.186.65 255.255.255.240

ip audit info action alarm

ip audit attack action alarm

pdm location 137.33.188.0 255.255.252.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 195.100.182.113 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 137.33.186.64 255.255.255.240 inside

http 137.33.188.0 255.255.252.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh 137.33.188.0 255.255.252.0 inside

ssh timeout 5

management-access inside

console timeout 0

dhcpd address 137.33.186.66-137.33.186.78 inside

dhcpd dns 137.33.188.125

dhcpd wins 137.33.188.103 137.33.188.101

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain alcro-beckers.com

dhcpd auto_config outside

dhcprelay server 137.33.188.108 outside

dhcprelay enable inside

dhcprelay setroute inside

vpnclient server 194.132.127.2

vpnclient mode network-extension-mode

vpnclient vpngroup xxxx password ********

vpnclient username xxxx password ********

vpnclient enable

terminal width 80

Cryptochecksum:e48235f5f0acf8d7e86edee27ee8ebb8

: end

[OK]

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

Thanks much for your question, I just tried it here in the lab and it seemed to work fine for me, I would suggest working with a TAC Engineer to see how you are trying to get this to work to further troubleshoot it.

Regards,

Aamir Waheed,

Cisco Systems, Inc.

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

What are the differences in using routers or Pix to make VPN between two sites ?

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

Thanks for your question. The biggest difference between using a Router and a Firewall for VPN is the Hub & Spoke implementation, where the Router can be used as a Hub for different spokes to talk to each other, but the Firewall usually doesn't allow for traffic to bounce off its interfaces, hence any Spoke to Spoke traffic cannot work with a Firewall as a hub. Additionally Firewall brings with it firewalling capabilities which are useful when you need one device to perform both VPN & Firewalling.

Hope this helps,

Regards,

Aamir Waheed,

Cisco Systems, Inc.

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Aamir:

I have a strange situation, I'm trying to do a low budget VPN for one of our small offices using a Linksys BEFVP41 at the remote office and our PIX 515 here.

I can create the tunnel just fine and I can ping workstations and servers on either side of the tunnel but I can' do much else.

From the Linksys side I can ping any workstation or server on the MAINOFFICE side but I can't ping the internal interface of the PIX.

From the MAINOFFICE side I can ping any workstation on the Linksys side, including the IP address of the internal interface of the Linksys (192.168.0.1).

If I try to even open our Intranet (which resides on the MAINOFFICE side) from the Linksys side using the IP address of the web server (10.5.10.9) it fails, I can ping it but IE5.5 gives a "We can't find 10.5.10.9" error.

I've tried adjusting the MTU on the Linksys to 1400 to compensate for the additional 56k of header info for the IPSec, but to no avail.

Any ideas?

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

Thanks for your question. PIX being a firewall, we cannot go through the PIX to ping an interface. Bascially it doesn't allow traffic to go across it to an interface within the PIX, if its destined for any devices behind it then its fine but as a design we cannot ping across the PIX on one of its interfaces.

Kindly try going through it to some inside hosts and see if they are accessible, as that should work fine. Also make sure you have "sysopt connection permit-ipsec" for IPSec traffic to go through the PIX without any problems.

Hope this helps,

Regards,

Aamir Waheed,

Cisco Systems, Inc.

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Aamir:

I bow to the PIX Guru. The "sysopt connection permit-ipsec" solved the problem!

Thanks so much, you've helped me save what little bit of hair I have left....I had started tearing it out in clumps!

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

Great that I could be of some help :-)

Regards,

Aamir

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Aamir,

Hi, I have been troubleshooting an ongoing PIX/VPN problem and I'm out of ideas. Hoping you know the fix.

My customer has a PIX 515 configured as a VPN server for remote access clients (Win 2K PCs w/ Cisco VPN SW Client ). The remote clients authenticate to the PIX with no problem. They can search for and find internal servers by name and by IP address. The problem is that they cannot browse through "My Network Places" and see the domain or anything.

All remote clients are already part of the win2k domain.

We have modified the LMHOSTS file to include PDC and domain name.

Here's the PIX cfg:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable

passwd

hostname xxxxxxxxxx

domain-name xxxxxxx.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit ip 172.16.1.0 255.255.255.0 192.168.11.0 255.255.255.0 access-list 100 permit ip 192.168.11.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list 100 permit ip 199.199.199.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list 100 permit ip 172.16.1.0 255.255.255.0 199.199.199.0 255.255.255.0 access-list 100 permit tcp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq 135

access-list 100 permit udp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq netbios-ns

access-list 100 permit udp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq netbios-dgm

access-list 100 permit tcp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq netbios-ssn

access-list 100 permit tcp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq 42

access-list 100 permit tcp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq ldap

access-list 100 permit udp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq 389

access-list 100 permit tcp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq ldaps

access-list 100 permit tcp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq 3268

access-list 100 permit tcp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq 3269

access-list 100 permit tcp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq domain

access-list 100 permit udp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq domain

access-list 100 permit tcp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq 88

access-list 100 permit udp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq 88

access-list 100 permit tcp 199.199.0.0 255.255.0.0 172.16.1.0 255.255.255.0 eq 445

access-list 100 deny ip any any

pager lines 24

logging buffered errors

interface ethernet0 auto

interface ethernet1 auto

icmp deny any echo-reply outside

icmp permit any unreachable outside

icmp permit any time-exceeded outside

mtu outside 1500

mtu inside 1500

ip address outside XXX.XXX.XXX.XXX 255.255.255.224

ip address inside 199.199.199.4 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool CLIENTPOOL 172.16.1.1-172.16.1.253

pdm history enable

arp timeout 14400

global (outside) 1 XXX.XXX.XXX.XXX-XXX.XXX.XXX.XXX

global (outside) 1 XXX.XXX.XXX.XXX netmask 255.255.255.224

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

route inside 192.168.11.0 255.255.255.0 199.199.199.7 1

route inside 199.199.0.0 255.255.0.0 199.199.199.7 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:0

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set VPNTUNNEL esp-3des esp-md5-hmac

crypto dynamic-map DYNOMAP 10 set transform-set VPNTUNNEL

crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP

crypto map VPNPEER interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup xxxxxxxxxx address-pool CLIENTPOOL

vpngroup xxxxxxxxxx dns-server 199.199.199.1

vpngroup xxxxxxxxxx wins-server 199.199.199.1

vpngroup xxxxxxxxxx default-domain xxxxxx.com

vpngroup xxxxxxxxxx idle-time 1800

vpngroup xxxxxxxxxx password ********

telnet timeout 5

ssh timeout 5

terminal width 80

LMHOSTS file looks like this:

199.199.199.1 ACMEPDC #PRE #DOM:ACMECOMPANY

199.199.199.1 "ACMECOMPANY \0x14"

Is this a Microsoft Win 2K domain problem? I am out of ideas and my customer is out of patience.

Any help is much appreciated!

Thanks!

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

Thanks for your question, I will suggest trying the Start before login option on the client.

Do make sure to enable

"Netbios over TCP/IP" <<--!!

and you can find this in the TCP/IP Properties page, under WINS tab

for the LAN and for the DSL connection.

Both have to be enabled for this to work.

Once it's done it should help you out.

Also make sure you have the "Enable LMHOSTS lookup" under the same tab.

You wouldn't have to make any config changes on the PIX for this to work.

Hope theis helps,

Regards,

Aamir Waheed,

Cisco Systems, Inc.

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

I have a VPN with IPSEC setup on my PIX and I can see my server....but I can't logon to it...

It's WIndows 2000 server...

How to you tell the VPN client or/and PIX to connect to the domain with your username and password???

Because I need to logon to the domain so that I can map some drive(that are on the domain) on the outside PC...

I have two PC for testing...one with Win 98 and the other one with XP and I using VPN client 3.6.3....

Can you help me with that???

Thanks in advance

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

Thanks for your question, I will suggest trying the Start before login option on the client.

Do make sure to enable

"Netbios over TCP/IP" <<--!!

and you can find this in the TCP/IP Properties page, under WINS tab

for the LAN and for the DSL connection.

Both have to be enabled for this to work.

Once it's done it should help you out.

Also make sure you have the "Enable LMHOSTS lookup" under the same tab.

You wouldn't have to make any config changes on the PIX for this to work.

Hope theis helps,

Regards,

Aamir Waheed,

Cisco Systems, Inc.

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Thanks Aamir...

But the problem is that I can logon to only one of the server...

The second one doesn't have Active Directory on it and is only uses for sharing purpose...

The thing is that everything works under Windows98 but in 2000 and XP it doesn't work...why???

Is like when connecting that the XP or 2000 doesn't reconize the server into the domain...is like I'm not loggon in the domain...

Can you help me solve this problem???

Thanks!!!

Steve St-Amand

Biotonix Inc.

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Steve,

Unfortunately this issue pertains to the Microsoft 2000/XP domain setup and I am not too familiar with Windows problems.

Regards,

Aamir

Gold

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Aamir,

In terms of the lastest PIX software 6.3 new features, I was wondering how the local user authentication database can be configured for VPN client. For instance, what value should I set for the 'authen_service' for the command aaa authentication??

The acutal story is that I was trying to get the Pocket PC movianVPN works with the PIX515E. However, it turns out that an external authentication server is needed. Thus, I am interested in understanding how this new feature in 6.3 would help me to cope with this situation.

I am looking forward to hear from you promptly. Also, would you please post a configuration example??

Cheers,

Jack

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Jack,

Thanks much for your question. You can check out the following link for how to connect a VPN client to a PIX Firewall without a AAA server:

http://www.cisco.com/warp/public/110/pix3000.html

Actually we cannot use the local Authentication for the Crypto map:

As per the following link:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/basclnt.htm#1066294

--> crypto map map-name client authentication aaa-group-tag

where they donot use the Local keyword for the vpngroup command at this time. There is a Feature request that has already been made for that to be integrated under: CSCea77993. Kindly get in touch with your account team if you want to try and expedite its integration into the PIX code.

Hope this helps,

Thanks and Regards,

Aamir Waheed,

Cisco Systems, Inc.

-=-=-

Gold

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Aamir,

Thanks for you quick response. According to the lastest command reference, http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm, the crypto map command does accept the keyword LOCAL. However, this new feature in PIX 6.3, Local user authentication database, is confusing. I guess it would be good if Cisco can provide configuration example.

Cheers,

Jack

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Jack,

I have verified with the development team that they did integrate this feature in the v6.3 but it wasn't widely documented and there is no sample config that exists for this feature yet. I have requested this document to be created and it should be available on Cisco website soon.

Thanks for pointing it out,

Regards,

Aamir

-=-=-

Gold

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Dear Aamir,

As we have to setup the tunnel between the PIX and movianVPN Pocket PC in 3 days. Thus, would you please post some samples that it might be helpful?? Thanks alot.

Cheers,

Jack

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Jack,

Thanks for your question, actually Movian has the following on their website, which should get you all the required information:

http://www.certicom.com/pdfs/support/PIX_deployment_guide.pdf

Additionally PIX Firewall only supports:

movianVPN Palm & movianVPN CE

http://www.certicom.com/products/movian/movianvpn_support.html

Hope this helps,

Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Aamir,

I am trying to get the new feature in 6.3.1 with management-access to work in a NAT:et environment.

We have a number of VPN connections to our customers for support-issues and use NAT so we do not have to worry about

their network addresses.

The schematics is as follows:

Cisco IOS FW (Internal=10.255.0.0) --> PIX (NAT=10.255.253.22x).

access-list 101 permit ip 10.255.253.224 255.255.255.224 10.255.0.0 255.255.255.0

ip address outside 172.16.173.100 255.255.255.0

ip address inside 192.168.33.3 255.255.255.0

static (inside,outside) 10.255.253.227 192.168.33.5 netmask 255.255.255.255 0 0

static (inside,outside) 10.255.253.225 192.168.33.3 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 172.16.173.126 1

crypto map ifrtoconn 10 match address 101

crypto map ifrtoconn 10 set peer 172.16.173.126

isakmp nat-traversal 20

telnet 10.255.0.0 255.255.255.0 inside

If we do not use NAT, we can reach the PIX internal interface with telnet but not when we use NAT as explained above.

Any ideas ?

Best Regards

//Tomas

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Tomas,

Thanks much for your question. I have gotten in touch with the development team to see if this is a limitation of the feature, if not we might fiel a bug on it. Would let you know how it goes. Thanks for providing it out to us.

Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Aamir,

We currently have in place a LAN-LAN VPN tunnel using a PIX515 and a PIX501. This works well except I have to log into a remote mahcine on the oposite end of the vpn to admin the firewall at that end. I have tried adding my machine's IP to the correct areas in the config but the connection gets dropped. Any ideas on how to get arround this. My only thought is to setup the NAT address for our firewall as an allowed conf on the outside inteface and access the remote firewall using its outside ip, but I would like to avoid that if possible.

Thanks,

Richard

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Richard,

Thanks much for your question. Actually you can telnet to the outside interface of the PIX Firewall while you are coming through a LAN to LAN IPSec tunnel. But you cannot telnet to the inside PIX interface coming across the tunnel, hence to get around this you can add the following to your config:

telnet x.x.x.x y.y.y.y outside, where x.x.x.x is your ip address & y.y.y.y is your subnet mask.

Hope this helps,

Regards,

Aamir

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Greetings Aamir, my question may be kind of broad so I will just blurt it out there.

We are using a PIX 525 to terminate a VPN tunnel from workstations using the Cisco VPN client. The tunnel will connect and the user will be authenticated just fine. I have the tunnel set up for split tunneling and we have the vpngroup idle time out setting set to 8 hours but the tunnels seem to be dropping erratically at random intervals whether there is data running through them or not. Just a not here the PIX is a bastion firewall on our internal network governing traffic between various subnets in the same Class B address range. The workstations are also on various subnets of the same Class B range.

However, in trying to troubleshoot this issue I have come to realize that the workstations have a route to the remote IP address that we are trying to connect to that points to the external interface of the PIX along with an accompanying access-list allowing these workstations through. Thus when the workstation connects using the VPN tunnel along with split tunneling it appears that the workstation has two routes to the same IP address and it also appears that the workstations are getting confused. Can this be causing the flaky behavior of the VPN client? I currently have plans to turn off split tunneling in an effort to combat this confusion. Do you think this will help?

PFiero

54
Views
10
Helpful
102
Replies
CreatePlease to create content