Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can PIX allow outbound VPN Client sessions and terminate VPN sessions?

Hi, is it possible to configure a PIX FW (6.3) to allow internal VPN Clients to initiate a VPN session outbound to a remote VPN server AND at the same time have the capability to act as a VPN server for remote VPN Clients?

I have a PIX at my house and I often VPN outbound to my corporate network (I currently have this working). I also want to be able to VPN into my home PIX when I am traveling?

Thanks!

6 REPLIES
Cisco Employee

Re: Can PIX allow outbound VPN Client sessions and terminate VPN

If you're using the "fixup protocol esp-ike" command in the PIX, then at the moment, no, you can't also terminate tunnels on that PIX (when the PIX receives ESP/IKE packets it thinks they're for an internal host rather than for itself).

If your VPN client and server support NAT-T or some sort of IPSec encapsulation in TCP/UDP packets, then you shouldn't need the fixup command in the PIX and then you'll be able to terminate VPN connections to it.

New Member

Re: Can PIX allow outbound VPN Client sessions and terminate VPN

Absolutely. We do the same thing here, but from the corporate perspective. We have hard tunnels terminated at our corporate PIX as well as terminating clients to it, and we can use the software client from the inside to get to a customer's VPN server. You must allow the IPSEC traffic through the PIX and not use the fixup, but it works.

Chad Miller

New Member

Re: Can PIX allow outbound VPN Client sessions and terminate VPN

I am using "fixup esp-ike" command to allow outbound IPSEC traffic. So, I guess I would need to remove that and create an OUTBOUND access list permitting ports 50, 51, and 500 and apply it to the inside interface?

Thanks!

New Member

Re: Can PIX allow outbound VPN Client sessions and terminate VPN

You got it - remove the fixup and add lines to your access list, but the outbound is already ok (high security to low security). The returning inbound needs to be allowed. You can go whole hog like the following:

access-list inbound permit esp any any

access-list inbound permit udp any eq isakmp any

or you can restrict the source to known addresses you would allow, again remembering the source is the outside addresses since you're allowing the return traffic.

Clear as mud?

Chad

New Member

Re: Can PIX allow outbound VPN Client sessions and terminate VPN

Also - you need an IP to IP translation for the PC on the inside to a static address on the outside unless your remote VPN server can encapsulate it in udp/tcp packets. This needs to be set up for the PIX to deliver the return packets back to your PC. If you use PAT, the PIX won't know which PC on the insdie to deliver the esp packets to.

Chad

New Member

Re: Can PIX allow outbound VPN Client sessions and terminate VPN

Chad,

Got it working!

Thanks for your help on this!

TV

290
Views
0
Helpful
6
Replies
CreatePlease login to create content