Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Implementing VPNs on Cisco PIX Firewall with Cisco expert Aamir Waheed. Aamir is a Senior Customer Support Engineer for Cisco Systems' VPN Technical Assistance Center (TAC). He is responsible for taking care of the issues pertaining to VPN's in general or any specific VPN escalations where Customers need assistance. Feel free to post any questions relating to Implementing VPNs on Cisco PIX Firewall.

Aamir might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 30. Visit this forum often to view responses to your questions and the questions of other community members.

91 REPLIES
New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Aamir,

We've been having problems with our vpn pixes. they reboot randomly and with no warning or error messages. Is there anything you can recommend?

Or anything we should be checking?

thanks,

Mario

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Mario,

Thanks for your question..

I would suggest opening a TAC case on this with the version you are using and try getting the output on the messages it gives by connecting a Console to the PIX, you can follow the steps at: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemint.htm#xtocid2 for this. The PIX would not normally crash like this so this might need to be looked into.

Thanks and Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

We had a similar problem. Turned out to be a manufacturer defect. faulty connection where the power connector meets the mother board.

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

There are Field notices out for such issues and you can check for your specific hardware model or software version at: http://www.cisco.com/warp/public/tech_tips/index/fn.html for more details.

Regards,

Aamir

-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

I've got to create 2 site to site VPNs as well as several client to site VPNs. The site to site are remote clinics with 3 to 4 computers per site. They'll be accessing enterprise applications across the wan. The clients are for remote access to things like email, files, etc, from home or on the road via multple ISPs. We already use a PIX 506 at the main campus for our internet firewall. My questions are:

1) will the PIX 506 at the main campus be sufficient to handle the existing internet traffic at the main campus and the new traffic from the two remote sites and the 6 - 10 clients individual clients? There will be about three comptuers per remote site... Or should I use a dedicated VPN device.

2) should I have the remote sites come through the main site and then out to the internet or should I split at the remote site and have them access the internet without going through the main campus?

Thanks for the input...

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Rao,

I will answer your questions inline...

1) Will the PIX be sufficient to do that, the answer is it depends.. the total number of Security Associations supported on the PIX506 is 25 simultaneous SA's so I would think that with 2 remote sites (with 3-4 machines) and some 5-8 remote access clients it should be fine but if you have more then a single network behind these devices then you will need to have a bigger box. so my suggestion is to go with a dedicated VPN device at the main site.

2) In case of the PIX Firewall we will not be able to do a Hub and Spoke as the Spokes would not be able to talk through the Hub (due to the Firewall feature of not letting you bounce off the firewall) so in that case you woul dneed a Router or CVPN3000 to terminate the VPNs to be able to make that device as the Hub and for all spokes to talk through that. If you want you can also access the Internet directly from the Remote sites aswell, especially if you donot want to use the Internet connection at the Main site for remote site Internet traffic.

Details on PIX506 features/limitations:

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/p506e_ds.htm

Hope this helps,

Thanks and Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hey Aamir,

At work, we're experimenting with 2 PIX 501, creating a ipsec VPN tunnel over internet (cable connections). After reading a lot of documents and troubleshooting different problems, I've got things working. The only problem at the moment is that, establishing the tunnel from one end works fine (I can get to different internal networks). Except when trying to connect from behind the other 501 pix, the tunnel is established, packets get encrypted but i get no return traffic (packets decrypted: 0). I already read several documents and tried with the "troubleshoot assistent" but I can't seem to get things working.

Url's I already visited, while troubleshooting:

http://www.cisco.com/warp/public/110/ipsec_tun_pass_data.html

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/

http://www.cisco.com/warp/public/707/ipsec_debug.html

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

Thanks for your question.. I would try to answer it to your satisfaction..

Usually issues pertaining to one-way encryption working or tunnel establishment only one way has to do with overlapping SA's. In other words the site which is not Encrypting the traffic back, probably has either another VPN tunnel which sees this traffic as Interesting traffic and sends it there, or the access-lists on both the ends are not mirror images of each other so when this side generates the other side doesn't like the request..

Kindly do: debug crypto isakmp & debug crypto ipsec when initiating from this remote site (which doesn't bring up the tunnel) and compare the debugs at: http://www.cisco.com/warp/public/707/ipsec_debug.html#error4

Hope this helps..

Thanks and Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Aamir,

I'm sorry, perhaps I didn't make myself clear. I get no such error while debugging. The tunnel gets established succesfully both ways, but traffic gets only passed succesfully in one-way. First I thought It had something to do with the access-lists not mirroring eachother, but they do. Differences with the 2 PIX firewalls, are that behind 1 pix I have a second internal network, so both crypto access-list on both sides have 2 entries (mirroring eachother). From one side I can get one both those networks without any probs. The second difference is that I'm using PPTP microsoft clients to establish a vpn connection with one pix (also no problems), so only the nat 0 access-list differs on one pix (it has 2 extra entries pointing at the client vpn pool). I'm using different access-lists for "nat 0" and "crypto match" on both sides.

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

I think we might need to look into the Configs a little deeper to figure this one out :-) the best thing to do would be to open a TAC case on this and troubleshoot with the Engineer.

Hope this helps,

Regards,

Aamir

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

We’ve set up user laptops to VPN to a VPN3005. User VPN laptop is connecting from an ADSL router based LAN. VPN3005 is configured with MS RADIUS authentication. The network is NT4 domains.

All works fine except we can’t execute login scripts. Any ideas how we can excite the login script?

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

There were some problems with the Login scripts in the older versions of the clients which were fixed later, kindly try the latest client and if it still doesn't help then open a TAC case for further troubleshooting.

Regards,

Aamir

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Aamir

Both the client & 3005 are lates OS.

VPN client ver = 3.5.2(C)

CVPN3005 OS ver =3.6.Rel Aug 06 2002 - vpn3005-3.6.Rel-k9.bin.

Thanks for your help, I've opend a TAC case.

Tariq Sharif

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

hi aamir, i recently implemented 2 3030 concentrators that sit between a pix and a check point firewall. users connect via the latest client and i have the latest os on the concentrators. my problem is with some broadband users and outlook. the cannot send or recieve large emails or emails with attachments. these users have adjusted the mtu setting several times without any success. any suggestions? could the pix be dropping packets?

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

Thanks for your question..

In such a scenario where you have specific applications not working, I would suggest you to check a couple of things..

Firstly for Broadband users, make sure you try both the IPSec/TCP aswell as IPSec/UDP option as sometimes one works better then the other due to QoS at the provider end. Also make sure that no Compression is turned on for the Group these broadband users are connecting to as that effects their performance.

Secondly for Outlook, usually these issues are MTU related. What I would suggest are a couple of things:

Try using the freeware Dr. TCP software for MTU reduction, works much better then normal MTU changes (worked for me alot of times)

See if the issue is OS platform specific?

See if they are running the latest client version?

If all this is done then we might need to troubleshoot this with TAC and file a bug on the specific issue that you see, as generally Outlook works fine after MTU re-adjustments.

Thanks and Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

I would like to ask questions regarding VPN`s interoperability between PIX (in this case PIX 501) to VPN 3000 (in this case VPN3060). I think there would be no issues on basic connection (phase 1 and phase 2 connection). But in the following cases :

1. Any issues on re-keying phase 1 ? Packet dropped while both of devices doing re-key ?

2. Re-keying phase 2 ?

3. If the PIX losts its Phase 1 SA, while VPN3000 still has its Phase 1 SA, does the two devices create a new Phase 1 SA ?

4. Same with Q3, but if the VPN3000 losts its Phase 1 SA .

Other question not related to the above, does PIX implement IKE Keepalive DPD ?

Thanks,

Best Regards,

Engel

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Engel,

Thanks for your question..

I will answer your questions inline:

Starting v6.x PIX Firewall started supported DPD keepalives which are supported on the CVPN3000 from v3.x aswell.

1. There are currently no known issues with rekeying between the PIX and the CVPN3000 either for the Phase I or Phase II.

2. Same as above

3. If the PIX loses its Phase I or Phase II Security Associations then for it to renegotiate new SA's it should generate traffic towards the CVPN3000 and at that time the CVPN3000 will delete the old ones and negotiate the new SA's with the PIX Firewall.

4. This should be the same for CVPN3000 only vice-versa.

Hope this helps,

Regards,

Aamir

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Aamir,

I have to connect stations behind a proxy/firewall (ISA server) to a remote VPN Concentrator 3005 through the proxy using VPN Client software or some other configuration using software only.

(Some locations use VPN Concentrator 3002, which works fine, but I still have to connect other locations without that kind of hardware).

The proxy is providing Internet access to the internal clients on the LAN, and it is connected to the Internet through ADSL.

Is there a software configuration using a proxy to connect clients to a remote VPN Concentrator 3005?

Thank you.

Leo Pastor

leop@satlink.com

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Leo,

I presume that the Proxy server is doing NAT/PAT on it for outgoing requests, you can go ahead and use the IPSec/NAT feature and use either UDP or TCP encapsulation to let them pass through and connect to the CVPN3000 Concentrator.

Hope this helps,

Regards,

Aamir

-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Aamir,

I would like to ask for the following scenario:

10.1.1.0/24--PIX1---2.2.2.0/24---PIX2---10.20.20.0/24---Server

PIX1 Public I/F is 2.2.2.1 , Private I/F is 10.1.1.1

PIX2 Public I/F is 2.2.2.254, Private I/F is 10.20.20.1

Server IP address is 10.20.20.100 (Internal) , NAT IP address is 2.2.2.100

Several clients behind PIX1 are accessing the Server using its public NAT IP address which is 2.2.2.100. We are trying to encrypt this traffic.

Does it able to make a crypto access-list for the above scenario :

PIX1 crypto ACL:

access-list 101 permit ip 10.1.1.0 255.255.255.0 host 2.2.2.100

PIX2 crypto ACL:

access-list 101 permit ip host 2.2.2.100 10.1.1.0 255.255.255.0

I am aware that a crypto access-list using the server`s inside IP address will work also, but that is not an option for our current network.

Appreciate for your assistance.

Best Regards,

Engel

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Engel,

Thanks for your question...

This Configuration would work without a problem as long as the Crypto access-lists are as you specified here. Actually the NAT happens before IPSec going out of the PIX, so the packet will first get NATted and then IPSec'd based on the Intersting traffic access-list. So this should work no problem.

Hope this helps,

Regards,

Aamir

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hello Aamir,

We currently use Cisco VPN client to connect to a Cisco Concentrator. Everything work (as far as I know).

We need to encrypt some data on our intranet network. We are trying to use the same client to terminate against PIX firewall (6.x). Authentication is handled by ACS. The problem I am having is that the PIX is forcing me to push out mode settings (IP, dns, domain name, etc). I dont want this. I just want the communication to be encrypted.

Can I use the VPN 3.x client to establish a VPN session with a PIX 6.x and not push mode configurations? If so, how?

Thanks,

Dan Laden

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi Dan,

I guess the concept of having to send down the Mode config parameters is to let the client know on who he needs to encrypt the data too.. what will be his IP address through the tunnel to access other private addresses.. what will be the DNS server for it to resolve the inside domains. As per the unity client implementation, we would need to use the mode config.

Hope this answers your question,

Regards,

Aamir

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi, Aamir

could you please briefly describe what are the advantages and disadvantages to use PIX for terminating remote access vpn connections compared to using a VPN 3000 concentrator? any limitations? thanks.

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

Thanks for your question..

I think its more of design choice rather then the limitations for one or the other. Usually Cisco PIX firewall is used where you need to have a Firewall and have only an option to use either devices not both (one for dedicated VPN and the other for the firewalling). If you do that then you have a single point of failure for both VPNs and Firewalling and you may also end up overloading the Firewall with too much traffic hence degradation of service. So the best case scenario is to have 2 seperate devices, One taking care of the VPNs and the other taking care of the Firewalling.

Hope this helps you in making a decision,

Regards,

Aamir

-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

I'll have to configure a PIX 501 to establish a VPN with a 1710 VPN router. Both will have 3Des support. The PIX is going to have a dynamic public IP address each time it connects to the internet using PPPoE, and the 1710 will have a static public IP address. They'll use pre-shared key. Is there any tip or consideration for this scenario that I should have in mind before starting configuring? For example, I won't be able to issue "crypto map map-name seq-num set peer" on the 1710 because I won't know the ip address of the pix.

Thanks,

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

You have following option..

First option:

Configure the Router as Sam-i-am from the following link: http://www.cisco.com/warp/public/707/ios_804.html

and configure the PIX as Maui-PIX-01 from the following link:

http://www.cisco.com/warp/public/110/38.html

Second option:

Setup PIX501 as a EzVPN Client connecting to a IOS Router

http://www.cisco.com/warp/public/110/pix-ios-easyvpn.html

Hope this helps,

Regards,

Aamir

-=-=-

New Member

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

In my company we have a 3015 located in Atlanta and a 3005 located in Dallas. For now all of our clients about 30 a day come into Atlanta and we have 4 Lan to Lan connections coming into Atlanta. We want to use Dallas as a redundant site in two aspects. One is for the concentrator/clients and the second is for the LAN to LAN connections. There is a full T-1 between Atlanta and Dallas with Frame and each site has a T-1 of internet. What is the best solution to have redundacy between the 3015 and 3005 for both clients and the lan to lan

Cisco Employee

Re: ASK THE EXPERT- IMPLEMENTING VPNs ON CISCO PIX FIREWALL

Hi,

Fortunately the new feature of Backup Servers option starting from 3.5.2 VPN client should take care of this problem by having the Dallas VPN Concentrator be second defined on that list so that if the VPN client doesn't find the first one in Atlanta it tries connecting to the Dallas one. Unfortunately, we donot have a way of doing this on the LAN to LAN tunnels yet, other then to have a redundant box sitting on the same LAN doing VRRP. So we will have to define the LAn to LAN tunnels on the Dallas box for them to work in case Atlanta goes down.

Hope this helps,

Regards,

Aamir

-=-=-

30
Views
0
Helpful
91
Replies