Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

IPSec through a PIX

Can anybody tell me what needs to be done on my PIX to pass IPSec?

I'm using Cisco VPN software client 3.6.1 on a local PC to establish VPN with central 3060 concentrator.

My local PC needs to go through my local PIX to reach the concentrator at the hub site.

The local network uses private addresses and the PIX is using PAT to communicate on the Internet.

Can I just use sysopt connection permit-ipsec or will I need additional configuration on the PIX - e.g. access-lists/conduits etc.

Thanks.

6 REPLIES
New Member

Re: IPSec through a PIX

The best thing to do is to use UDP or TCP encapsulation on the 3060. Then just allow that outbound on your pix. If the 3060 is not using UDP / TCP encapsulation (don't know why it wouldn't) then you need to do a static one to one NAT in your Firewall and allow ESP into you internal machine.

Regards,

New Member

Re: IPSec through a PIX

Thanks. Will I still need the sysopt connection permit-ipsec command on the PIX?

Also you say, "The best thing to do is to use UDP or TCP encapsulation on the 3060. Then just allow that outbound on your pix.".

When you say, "just allow that outbound on your pix", do you mean outbound onto the local LAN where my VPN software client resides or outbound towards the concentrator???

Thanks

New Member

Re: IPSec through a PIX

The sysopt connection permit-ipsec only effects VPN connections terminating on the Pix Firewall not IPSEC connections transversing the Firewall.

What I mean by that is if you have an access-list on the inside interface of your pix that only allows say http https and dns

ie

access-list inside permit tcp any any eq 80

access-list inside permit tcp any any eq 443

access-list inside permit udp any any eq 53

you would also need the UDP / TCP for the IPSEC connection - say

access-list inside permit udp host {internal client} host {3060} eq 10000

if you are not restricting outbound access this way then you don't need to worry about anything on your firewall.

Regards,

New Member

Re: IPSec through a PIX

What if I have more clients behind the PIx and only 1 public ip adres on the internet?

New Member

Re: IPSec through a PIX

Use TCP or UDP encapsulation. What this does is puts a UDP / TCP header on the ESP packet so that the Firewall can do PAT on the packet.

Regards,

New Member

Re: IPSec through a PIX

I Beleive you have pix version 6.2 or earlier. you should upgrade the ios version to 6.3 . In that case you don't need any public address. You can do VPN behind your pix firewall without doing one to one natting. Cisco resolved the issue in 6.3 . Also you need to configure the following command on the pix.

isakmp nat-traversal [natkeepalive]

Check it out. It should help you.

100
Views
0
Helpful
6
Replies
CreatePlease to create content