At present the PIX is running with normal ASA behaviour, aka no access lists defined and bound to either interface. Having declared an access list permitting protocol 50 (ESP) and binding to the outside Int, this now works, but this is something that doesn't bear contemplating, as they run a number of other VPN clients internally which pass through the PIX correctly and it would be very hard to work out what ports need to be permitted, if we have to go with a specified ACL on the Outside interface.
We have tried the SYSOPT CONNECTION PERMIT-IPSEC, which didn't work and we also have the FIXUP PROTOCOL ESP-IKE to get around the IPSEC/PAT issue
Am I correct in assuming that once the Symantec VPN client has data to send to the VPN protected network, behind the raptor, it signals this and then the Raptor tries to establish the VPN and as such, there is no xlate slot set up to tie this to an internal request.
Sorry for the long winded explanation. Anyones comments or assistance greatly appreciated
It's important to remember that the ASA only inspects TCP/UDP traffic unless other functionality is provided by a fixup. Currently, the outbound UDP/500 packet for IPSec doesn't tell the Pix to allow in another Protocol, 50 in this case. It would be nice to see this added as a fixup.
The Fixup for ESP-IKE allows a VPN client to use the Pix's outside interface address and ports for a single VPN tunnel. This is useful when the Pix's outside address is used for client PAT and you need to create an outbound VPN tunnel. ESP/IPSec doesn't work through PAT,and this provides a work around for only a single client. (a single IP address only has one protocol 50 and UDP/500 port to listen on) Since the traffic is destined to a client behind the Pix and not the Pix itself, the traffic must have an open connection. As previously discussed, the Pix doesn't know to dynamically open protocol 50 after seeing a UDP/500 packet.
Permit-IPsec simply allows traffic from VPN tunnels TERMINATED BY the Pix to bypass ACL processing. It does not affect VPN tunnels PASSING THROUGH the Pix. It doesn't know or care about these.
Many VPN clients/concentrators recognize a NAT environment and will switch to NAT-T, which encapsulates all IPSec traffic over UDP/4500. This works for NAT and eases the pains of VPN in firewall environments like you are experiencing. Check to see if the Symantec client supports NAT-T or TCP/UDP encapsulation. If not, you'll be forced to allow ESP in the outside interface of the Pix with an ACL.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...