Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

juniper vpn client behind a PIX 515e

our client has a pix 515E (6.3.4), there is a workstation trying to use a juniper VPN client to connect to a vendor network. The VPN client says it is connected but no vendor IP information is passed on to the local workstation. The client is requesting that ports 500 and 4500 be opened to support this connection. This doesn't seem correct to me. Any suggestions?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: juniper vpn client behind a PIX 515e

Jason,

A workaround can be permitting tcp 4500, udp 500 esp and ah protocols to outside interface from any destination

access-list outside_access_in permit tcp any interface outside eq 4500

access-list outside_access_in permit udp any interface outside eq 500

access-list outside_access_in permit esp any interface outside

If doesnt work, upgrade your IOS to 7.x, ipsec-pass-through and PAT VPN configs can work at the same time.

Regards

5 REPLIES

Re: juniper vpn client behind a PIX 515e

Hello Jason,

I dont have any experience with Juniper, but I am assuming that Juniper VPN Client behind your PIX (in inside interface) is trying to establish an IPSEC VPN session with remote Juniper server.

By default, any traffic that is originated from your VPN client is permitted and no ports need to be opened, since it is locaten in higher security interface. But again assuming that this is an IPSEC connection, you may have to enable ipsec pass through in PIX. Try issuing the following

fixup protocol ipsec-pass-through

Regards

New Member

Re: juniper vpn client behind a PIX 515e

that command is not supported in the 6.3.4 IOS. Do you know what the command is for this version?

Re: juniper vpn client behind a PIX 515e

Try this

fixup protocol esp-ike

New Member

Re: juniper vpn client behind a PIX 515e

this firewall supports a remote access vpn connection. When I entered in the fixup protocol esp-ike I recieved this error message "

PAT for ESP cannot be enabled since ISAKMP is enabled. Please correct your configuration and re-issue the command!"

Re: juniper vpn client behind a PIX 515e

Jason,

A workaround can be permitting tcp 4500, udp 500 esp and ah protocols to outside interface from any destination

access-list outside_access_in permit tcp any interface outside eq 4500

access-list outside_access_in permit udp any interface outside eq 500

access-list outside_access_in permit esp any interface outside

If doesnt work, upgrade your IOS to 7.x, ipsec-pass-through and PAT VPN configs can work at the same time.

Regards

420
Views
0
Helpful
5
Replies
CreatePlease to create content