01-03-2003 04:20 PM - edited 02-21-2020 12:15 PM
Trying to get a vpn between home (win xp over DSL) and our office 3005 (T-1). Don't care about connecting to the LAN yet - just looking to make a successful tunnel.
Absolute novice with both the pix and the vpn concentrator.
The 3005 is on the dmz of a new pix 515R.
Pix outside = 1.2.3.5
Pix dmz = 192.168.0.254
Pix inside = 192.168.1.254
Vpn internet visible static ip = 1.2.3.6
Vpn outside = 192.168.0.250
Vpn inside = 192.168.1.250
On pix I have set the following:
static (dmz,outside) 1.2.3.6 192.168.0.250 netmask 255.255.255.255
access-list acl_out permit tcp any host 1.2.3.6 eq 50
access-list acl_out permit tcp any host 1.2.3.6 eq 10000
access-list acl_out permit udp any host 1.2.3.6 eq 4500
access-list acl_out permit udp any host 1.2.3.6 eq 500
access-group acl_out in interface outside
When I try to connect with client 3.6 from home, the hitcnt for the permit tcp 10000 access-list entry increases, but the client cannot establish a connection.
How can I troubleshoot this? If any more information is needed, please request.
01-03-2003 05:29 PM
Hi,
When establishing an IPSec tunnel between Cisco VPN Client (Unity) and VPN3000, there are
a couple of scenarios:
1. Using UDP Port 500 and Protocol 50:
This connection is from users who are not sitting behind a PAT device and in this case you need to make sure that UDP Port 500 and Protocol 50 is not being blocked anywhere.
In the above case you need to add an access-list statement like:
access-list acl_out permit esp any host 1.2.3.6
2. Using UDP Port 500 and UDP Port 10000(Default) -- IPSec Over UDP
This is when you have users sitting behind a PAT device and in this case you need to make sure that UDP Port 500 and UDP Port 10000 is not being blocked.
In the above setup the IKE packet is in UDP Port 500 and the IPSec packet is wrapped in UDP Port 1000.
The default value of IPSec Over UDP is 10000, which is configurable.
If you are using the above set up, then you need add an access-list statement like:
access-list acl_out permit udp any host 1.2.3.6 eq 10000
3. Using TCP 10000 -- IPSec Over TCP
This is when you have users sitting behind a PAT device and in this case you need to make sure that TCP Port 10000 is not being blocked.
In the above set up both the IKE and IPSec packet using TCP Port 10000.
The default value of IPSec Over TCP is 10000, which is configurable.
If you are getting hits on TCP 10000 access-list, then looks like the client is using the option IPSec Over TCP. Make sure that the VPN3000 is configured to accept connection on this port. Provided you have configured a group on the VPN3000, follow the below config to enable IPSec Over TCP.
You can configure the below via GUI as well.
Login: admin
Password:
Welcome to
Cisco Systems
VPN 3000 Concentrator Series
Command Line Interface
Copyright (C) 1998-2002 Cisco Systems, Inc.
1) Configuration
2) Administration
3) Monitoring
4) Save changes to Config file
5) Help Information
6) Exit
Main -> 1
1) Interface Configuration
2) System Management
3) User Management
4) Policy Management
5) Back
Config -> 2
1) Servers (Authentication, Accounting, etc.)
2) Address Management
3) Tunneling Protocols (PPTP, L2TP, etc.)
4) IP Routing (static routes, OSPF, etc.)
5) Management Protocols (Telnet, TFTP, FTP, etc.)
6) Event Configuration
7) General Config (system name, time, etc.)
8) Client Update
9) Load Balancing Configuration
10) Back
System -> 3
1) PPTP
2) L2TP
3) IPSec
4) Back
Tunnel -> 3
1) IKE Proposals
2) NAT Transparency
3) Back
IPSec -> 2
1) Enable/Disable IPSec over TCP
2) Set IPSec over TCP Port(s)
3) Enable/Disable IPSec over NAT-T
4) Back
NAT Transparency -> 1
1) Enable IPSec over TCP
2) Disable IPSec over TCP
IPSec over TCP -> [ 2 ] 1
1) Enable/Disable IPSec over TCP
2) Set IPSec over TCP Port(s)
3) Enable/Disable IPSec over NAT-T
4) Back
NAT Transparency -> 2
> Enter up to 10 comma-separated IPSec over TCP Ports (1 - 65535)
IPSec over TCP Port(s) -> [ 10000 ]
1) Enable/Disable IPSec over TCP
2) Set IPSec over TCP Port(s)
3) Enable/Disable IPSec over NAT-T
4) Back
NAT Transparency ->
Let me know how the testing goes.
Regards,
Arul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide