Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Can't make outbound VPN

I just got a PIX 515E installed on wednesday, and I found that I can't make an outbound VPN connection. It will go as far as Verifying Username and password, but will go no further. I had the same problem with the 2611 router that was functioning as our firewall, but I figured that it had something to do with the fact that the router was doing more than it was supposed to do. Any ideas why it's doing this and how to fix it?

Thanks

5 REPLIES
Community Member

Re: Can't make outbound VPN

Which VPN client are you using?

There are some inbound ports you will need to open up for vpn connectivity.

For Cisco's 3.X client, try udp port 500, and IP port esp. Also you may need to open either udp port 10000, or udp port 4500. Check your syslog to see which packets are trying to get back in to verify this.

For Windows VPN client try opening IP GRE.

Some clients also require IP AH.

Hope that helps

~rls

Community Member

Re: Can't make outbound VPN

I should've mentioned that in my first post. I always forget the important little details. I'm using Windows 2000/XP PPTP VPN (XP Client, 2000 Server). If I get a PIX 501 or 506, or some other router/firewall that supports L2TP for home, I will probably start using 3DES L2TP. I don't know if there will be something I will have to set up differently to use L2TP, but I don't think that's in the near future.

Community Member

Re: Can't make outbound VPN

Then you should be okay by opening IP GRE. You may also need to open TCP port 1723.

~rls

Community Member

Re: Can't make outbound VPN

I found a document on permitting PPTP connections through the PIX. It says that static mappings must mbe made. Is there any way to tell the PIX to allow GRE to any host that is initiating PPTP from the inside, or must I set up static routes?

Community Member

Re: Can't make outbound VPN

Since the pptp client initiates the connection on tcp 1723 the pix doesn't match the inbound gre connection against the xlate table and so drops the packet in the absence of a permitting conduit or ACL.

You will either need to do a permit all gre for those addresses used with the nat/global statement, or only allow gre inbound for those addresses assigned to vpn clients via static statements.

~rls

134
Views
0
Helpful
5
Replies
CreatePlease to create content