I just got a PIX 515E installed on wednesday, and I found that I can't make an outbound VPN connection. It will go as far as Verifying Username and password, but will go no further. I had the same problem with the 2611 router that was functioning as our firewall, but I figured that it had something to do with the fact that the router was doing more than it was supposed to do. Any ideas why it's doing this and how to fix it?
There are some inbound ports you will need to open up for vpn connectivity.
For Cisco's 3.X client, try udp port 500, and IP port esp. Also you may need to open either udp port 10000, or udp port 4500. Check your syslog to see which packets are trying to get back in to verify this.
I should've mentioned that in my first post. I always forget the important little details. I'm using Windows 2000/XP PPTP VPN (XP Client, 2000 Server). If I get a PIX 501 or 506, or some other router/firewall that supports L2TP for home, I will probably start using 3DES L2TP. I don't know if there will be something I will have to set up differently to use L2TP, but I don't think that's in the near future.
I found a document on permitting PPTP connections through the PIX. It says that static mappings must mbe made. Is there any way to tell the PIX to allow GRE to any host that is initiating PPTP from the inside, or must I set up static routes?
Since the pptp client initiates the connection on tcp 1723 the pix doesn't match the inbound gre connection against the xlate table and so drops the packet in the absence of a permitting conduit or ACL.
You will either need to do a permit all gre for those addresses used with the nat/global statement, or only allow gre inbound for those addresses assigned to vpn clients via static statements.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...