Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
213
Views
0
Helpful
1
Replies

Pix 515 with Vpn 3005 on DMZ

waifurchin
Level 1
Level 1

‎01-03-2003 04:20 PM - edited ‎02-21-2020 12:15 PM

Trying to get a vpn between home (win xp over DSL) and our office 3005 (T-1). Don't care about connecting to the LAN yet - just looking to make a successful tunnel.

Absolute novice with both the pix and the vpn concentrator.

The 3005 is on the dmz of a new pix 515R.

Pix outside = 1.2.3.5

Pix dmz = 192.168.0.254

Pix inside = 192.168.1.254

Vpn internet visible static ip = 1.2.3.6

Vpn outside = 192.168.0.250

Vpn inside = 192.168.1.250

On pix I have set the following:

static (dmz,outside) 1.2.3.6 192.168.0.250 netmask 255.255.255.255

access-list acl_out permit tcp any host 1.2.3.6 eq 50

access-list acl_out permit tcp any host 1.2.3.6 eq 10000

access-list acl_out permit udp any host 1.2.3.6 eq 4500

access-list acl_out permit udp any host 1.2.3.6 eq 500

access-group acl_out in interface outside

When I try to connect with client 3.6 from home, the hitcnt for the permit tcp 10000 access-list entry increases, but the client cannot establish a connection.

How can I troubleshoot this? If any more information is needed, please request.

Labels:
0 Helpful
1 Reply 1

ajagadee
Cisco Employee
Cisco Employee

‎01-03-2003 05:29 PM

Hi,

When establishing an IPSec tunnel between Cisco VPN Client (Unity) and VPN3000, there are

a couple of scenarios:

1. Using UDP Port 500 and Protocol 50:

This connection is from users who are not sitting behind a PAT device and in this case you need to make sure that UDP Port 500 and Protocol 50 is not being blocked anywhere.

In the above case you need to add an access-list statement like:

access-list acl_out permit esp any host 1.2.3.6

2. Using UDP Port 500 and UDP Port 10000(Default) -- IPSec Over UDP

This is when you have users sitting behind a PAT device and in this case you need to make sure that UDP Port 500 and UDP Port 10000 is not being blocked.

In the above setup the IKE packet is in UDP Port 500 and the IPSec packet is wrapped in UDP Port 1000.

The default value of IPSec Over UDP is 10000, which is configurable.

If you are using the above set up, then you need add an access-list statement like:

access-list acl_out permit udp any host 1.2.3.6 eq 10000

3. Using TCP 10000 -- IPSec Over TCP

This is when you have users sitting behind a PAT device and in this case you need to make sure that TCP Port 10000 is not being blocked.

In the above set up both the IKE and IPSec packet using TCP Port 10000.

The default value of IPSec Over TCP is 10000, which is configurable.

If you are getting hits on TCP 10000 access-list, then looks like the client is using the option IPSec Over TCP. Make sure that the VPN3000 is configured to accept connection on this port. Provided you have configured a group on the VPN3000, follow the below config to enable IPSec Over TCP.

You can configure the below via GUI as well.

Login: admin

Password:

Welcome to

Cisco Systems

VPN 3000 Concentrator Series

Command Line Interface

Copyright (C) 1998-2002 Cisco Systems, Inc.

1) Configuration

2) Administration

3) Monitoring

4) Save changes to Config file

5) Help Information

6) Exit

Main -> 1

1) Interface Configuration

2) System Management

3) User Management

4) Policy Management

5) Back

Config -> 2

1) Servers (Authentication, Accounting, etc.)

2) Address Management

3) Tunneling Protocols (PPTP, L2TP, etc.)

4) IP Routing (static routes, OSPF, etc.)

5) Management Protocols (Telnet, TFTP, FTP, etc.)

6) Event Configuration

7) General Config (system name, time, etc.)

8) Client Update

9) Load Balancing Configuration

10) Back

System -> 3

1) PPTP

2) L2TP

3) IPSec

4) Back

Tunnel -> 3

1) IKE Proposals

2) NAT Transparency

3) Back

IPSec -> 2

1) Enable/Disable IPSec over TCP

2) Set IPSec over TCP Port(s)

3) Enable/Disable IPSec over NAT-T

4) Back

NAT Transparency -> 1

1) Enable IPSec over TCP

2) Disable IPSec over TCP

IPSec over TCP -> [ 2 ] 1

1) Enable/Disable IPSec over TCP

2) Set IPSec over TCP Port(s)

3) Enable/Disable IPSec over NAT-T

4) Back

NAT Transparency -> 2

> Enter up to 10 comma-separated IPSec over TCP Ports (1 - 65535)

IPSec over TCP Port(s) -> [ 10000 ]

1) Enable/Disable IPSec over TCP

2) Set IPSec over TCP Port(s)

3) Enable/Disable IPSec over NAT-T

4) Back

NAT Transparency ->

Let me know how the testing goes.

Regards,

Arul

0 Helpful
Customers Also Viewed These Support Documents