Problems with Cisco VPN Client though a PIX Firewall.
I have a PC on my LAN which I sometimes use to establish a VPN tunnel with a remote network via Cisco VPN Client. I use a Cisco router as my gateway router via broadband to gain access to the Internet and employ PAT for address translation. I upgraded the IOS to 12.2(15)T16 to support NAT Transparency, I was able to establish the tunnel with this configuration.
I recently aquired a Cisco 506E PIX Firewall (Version 6.3(4)) to aid in my CCSP studies and integrated it into my network infrastructure. I inserted the PIX in-between my router and cable modem and offloaded the PAT from the router to the PIX. I setup the firewall with a basic configuration and I was able to access the Internet perfectly but I could not establish the VPN tunnel via the Cisco VPN Client. Other than removing the PAT commands on the router, it's configuration remained the same. I tried several configurations including enabling ISAKMP on both interfaces and activating ISAKMP NAT-Traversal but none worked. I finally was able to get the tunnel to establish by issueing the following command: fixup protocol esp-ike, and creating an inbound ACL on the outside interface allowing ESP from the remote system in.
My question is, is there a better way to do this without using the inbound access-list on the outside interface. Doesn't the PIX have a built-in NAT-Transparency system like the routers? Here is a sanatized version of the PIX configuration.
Thank you for your time!
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list TEST permit ip 10.0.0.0 255.255.252.0 any
access-list TEST permit esp 10.0.0.0 255.255.252.0 any
access-list VPN_CLIENT permit esp host 126.96.36.199 any
Re: Problems with Cisco VPN Client though a PIX Firewall.
This is a strange problem; looking at the debug I listed above, it shows it is denying inbound protocol 50(ESP) which makes sense since the VPN client operates correctly once I put an inbound ACL on the outside interface permitting ESP.
Now it can't use statful inspection since there is no initiating ESP traffic on the inbound interface.
Does this sound correct? Maybe I have no choice but to keep the inbound ACL in place on the inbound interface.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :