Re: PIX 506e(ver. 6.35) and VPN Clients

jason.ingram · ‎03-29-2006

I have a PIX 506e set up for VPN connectivity at a remote branch office. Users from my main branch office cannot connect to it when they they are sitting at their desks. In other words, the main corporate office firewall is blocking the VPN connection. The VPN works just fine when users are not in the office.

Here is a cut and paste of the translations and encryptions in use:

sysopt connection permit-ipsec

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

The question is, what do I need to open up IP/TCP/UDP wise on my firewall at the corporate office to allow outbound VPN connections to be succesful. Keep in mind, I need this to be succesfull in the future as well with other VPN servers.

Any thoughts would be appreciated.

Jason

m.sir · ‎03-29-2006

I think your VPN configuration is OK you need modify access-list from inside to outside of your firewall

You need permit esp protocol ad udp ports 500 a 4500

so it should by (I suppose that you access list for outbound is named in_out...)

access_list in_out permit esp any your_VPN_server_IP

access_list in_out permit udp any your_VPN_server_IP eq 500

access_list in_out permit udp any your_VPN_server_IP eq 4500

M.

Hope that helps, rate if it does

jason.ingram · ‎03-31-2006

Man, i wish I had some way to go back and change the rateing to whatever the highest is. Enabling NAT-T via udp port 4500 like you suggested proved to be the missing ingredient. Thanks for that.

m.sir · ‎03-31-2006

Nice to hear that problem is solved ...

NAT-T is most common problem in VPN

Milan