Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to allow cisco vpn 3.5 client on windows through Pix 506e

I have a user using Cisco VPN client version 3.5 on winnt 4.0, which is behind Cisco pix 506e and firewall outside is connected to Internet.

I found that in the logging it shows deny protocol 50...

what are the basic things i need to do, for the vpn client to work

regds

Ramesh

5 REPLIES
Cisco Employee

Re: How to allow cisco vpn 3.5 client on windows through Pix 506

The problem here is you're doing PAT and IPSec is not a TCP/UDP type packet which can be PAT'd easily. The PIX doesn't currently support IPSec thru PAT specifically. You can remedy this a few ways.

Probably the easiest is to enable the IPSec over UDP feature in the VPN client. You do this in the concentrator config under the group the user is connecting to. Under the Client Config tab check the IPSec over UDP box. Now when the client connects all the IPSec packets will be encapsulated into UDP port 10000 (default) packets, which the PIX will then be able to PAT successfully.

In the 3.6 client you can also do IPSec over TCP, which encapsulates ALL the IPSec and ISAKMP packets into a TCP stream, which again the PIX can then PAT successfully.

Or, on the PIX itself you can define a static translation for this inside host rather than let it use the nat/global config, so that the traffic will be NAT'd instead of PAT'd and that should work also. You'll need an access-list to allow the IPSedc packets back into the PIX cause it won't open a hole for those like it does with TCP/UDP packets.

New Member

Re: How to allow cisco vpn 3.5 client on windows through Pix 506

Hello,

you say that the easiest way to solve this problem is to enable the IPSec over UDP. Once the option is checked in the VPN client configuration, is there any parameter to add in the PIX configuration ?

Thanks

New Member

Re: How to allow cisco vpn 3.5 client on windows through Pix 506

Bonjour,

allowing incoming traffic, for the udp port you have chosen to use, on the pix. And make sure that the recieving ip sec side is configured to use ipsec over udp.

New Member

Re: How to allow cisco vpn 3.5 client on windows through Pix 506

You need to allow inbound ESP traffic. If your outside interface has the access list named outside_list, add the following:

access-list outside_list permit esp host x.x.x.x any

(where x.x.x.x is the IP address of the remote VPN server).

New Member

Re: How to allow cisco vpn 3.5 client on windows through Pix 506

Hi

thank a lot, your inbout esp thing work @ the first shot...

thanks to all for help me out

ramesh

150
Views
0
Helpful
5
Replies