03-29-2006 11:59 AM - edited 02-21-2020 02:20 PM
I have a PIX 506e set up for VPN connectivity at a remote branch office. Users from my main branch office cannot connect to it when they they are sitting at their desks. In other words, the main corporate office firewall is blocking the VPN connection. The VPN works just fine when users are not in the office.
Here is a cut and paste of the translations and encryptions in use:
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
The question is, what do I need to open up IP/TCP/UDP wise on my firewall at the corporate office to allow outbound VPN connections to be succesful. Keep in mind, I need this to be succesfull in the future as well with other VPN servers.
Any thoughts would be appreciated.
Jason
03-29-2006 10:10 PM
I think your VPN configuration is OK you need modify access-list from inside to outside of your firewall
You need permit esp protocol ad udp ports 500 a 4500
so it should by (I suppose that you access list for outbound is named in_out...)
access_list in_out permit esp any your_VPN_server_IP
access_list in_out permit udp any your_VPN_server_IP eq 500
access_list in_out permit udp any your_VPN_server_IP eq 4500
M.
Hope that helps, rate if it does
03-31-2006 06:14 PM
Man, i wish I had some way to go back and change the rateing to whatever the highest is. Enabling NAT-T via udp port 4500 like you suggested proved to be the missing ingredient. Thanks for that.
03-31-2006 09:55 PM
Nice to hear that problem is solved ...
NAT-T is most common problem in VPN
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide