Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix 515 with Vpn 3005 on DMZ

Trying to get a vpn between home (win xp over DSL) and our office 3005 (T-1). Don't care about connecting to the LAN yet - just looking to make a successful tunnel.

Absolute novice with both the pix and the vpn concentrator.

The 3005 is on the dmz of a new pix 515R.

Pix outside = 1.2.3.5

Pix dmz = 192.168.0.254

Pix inside = 192.168.1.254

Vpn internet visible static ip = 1.2.3.6

Vpn outside = 192.168.0.250

Vpn inside = 192.168.1.250

On pix I have set the following:

static (dmz,outside) 1.2.3.6 192.168.0.250 netmask 255.255.255.255

access-list acl_out permit tcp any host 1.2.3.6 eq 50

access-list acl_out permit tcp any host 1.2.3.6 eq 10000

access-list acl_out permit udp any host 1.2.3.6 eq 4500

access-list acl_out permit udp any host 1.2.3.6 eq 500

access-group acl_out in interface outside

When I try to connect with client 3.6 from home, the hitcnt for the permit tcp 10000 access-list entry increases, but the client cannot establish a connection.

How can I troubleshoot this? If any more information is needed, please request.

1 REPLY
Cisco Employee

Re: Pix 515 with Vpn 3005 on DMZ

Hi,

When establishing an IPSec tunnel between Cisco VPN Client (Unity) and VPN3000, there are

a couple of scenarios:

1. Using UDP Port 500 and Protocol 50:

This connection is from users who are not sitting behind a PAT device and in this case you need to make sure that UDP Port 500 and Protocol 50 is not being blocked anywhere.

In the above case you need to add an access-list statement like:

access-list acl_out permit esp any host 1.2.3.6

2. Using UDP Port 500 and UDP Port 10000(Default) -- IPSec Over UDP

This is when you have users sitting behind a PAT device and in this case you need to make sure that UDP Port 500 and UDP Port 10000 is not being blocked.

In the above setup the IKE packet is in UDP Port 500 and the IPSec packet is wrapped in UDP Port 1000.

The default value of IPSec Over UDP is 10000, which is configurable.

If you are using the above set up, then you need add an access-list statement like:

access-list acl_out permit udp any host 1.2.3.6 eq 10000

3. Using TCP 10000 -- IPSec Over TCP

This is when you have users sitting behind a PAT device and in this case you need to make sure that TCP Port 10000 is not being blocked.

In the above set up both the IKE and IPSec packet using TCP Port 10000.

The default value of IPSec Over TCP is 10000, which is configurable.

If you are getting hits on TCP 10000 access-list, then looks like the client is using the option IPSec Over TCP. Make sure that the VPN3000 is configured to accept connection on this port. Provided you have configured a group on the VPN3000, follow the below config to enable IPSec Over TCP.

You can configure the below via GUI as well.

Login: admin

Password:

Welcome to

Cisco Systems

VPN 3000 Concentrator Series

Command Line Interface

Copyright (C) 1998-2002 Cisco Systems, Inc.

1) Configuration

2) Administration

3) Monitoring

4) Save changes to Config file

5) Help Information

6) Exit

Main -> 1

1) Interface Configuration

2) System Management

3) User Management

4) Policy Management

5) Back

Config -> 2

1) Servers (Authentication, Accounting, etc.)

2) Address Management

3) Tunneling Protocols (PPTP, L2TP, etc.)

4) IP Routing (static routes, OSPF, etc.)

5) Management Protocols (Telnet, TFTP, FTP, etc.)

6) Event Configuration

7) General Config (system name, time, etc.)

8) Client Update

9) Load Balancing Configuration

10) Back

System -> 3

1) PPTP

2) L2TP

3) IPSec

4) Back

Tunnel -> 3

1) IKE Proposals

2) NAT Transparency

3) Back

IPSec -> 2

1) Enable/Disable IPSec over TCP

2) Set IPSec over TCP Port(s)

3) Enable/Disable IPSec over NAT-T

4) Back

NAT Transparency -> 1

1) Enable IPSec over TCP

2) Disable IPSec over TCP

IPSec over TCP -> [ 2 ] 1

1) Enable/Disable IPSec over TCP

2) Set IPSec over TCP Port(s)

3) Enable/Disable IPSec over NAT-T

4) Back

NAT Transparency -> 2

> Enter up to 10 comma-separated IPSec over TCP Ports (1 - 65535)

IPSec over TCP Port(s) -> [ 10000 ]

1) Enable/Disable IPSec over TCP

2) Set IPSec over TCP Port(s)

3) Enable/Disable IPSec over NAT-T

4) Back

NAT Transparency ->

Let me know how the testing goes.

Regards,

Arul

83
Views
0
Helpful
1
Replies
CreatePlease to create content