Re: Pix 525 allow vpn to another company

jllugar · ‎03-01-2006

I have a pix 525 ver 6.3(2) I have some consultants who want me to allow them to vpn out of network to their vpn concentrator 3000. (Which I have very little information about)What ports to I open to allow this?

mchin345 · ‎03-07-2006

Use Client Address; Check this box to let the client specify its own IP address. For maximum security, we recommend that you control IP address assignment and not use client-specified IP addresses. Do not check only this box if you are using IPSec, since IPSec does not allow client-specified IP addresses.

Make sure the setting here is consistent with the setting for Use Client Address on the PPTP/L2TP Parameters tab on the User Management | Base Group screen. A different Use Client Address setting for specific groups and users overrides the setting here and on the base group screen.

Patrick Iseli · ‎03-07-2006

I am not sure if this command is implemented in 6.3.2

but try on CLI if it exists.

fixup protocol esp-ike

The fixup protocol esp-ike command enables PAT for Encapsulating Security Payload (ESP), single tunnel.

The fixup protocol esp-ike command is disabled by default. If a fixup protocol esp-ike command is issued, the fixup is turned on, and the firewall preserves the source port of the Internet Key Exchange (IKE) and creates a PAT translation for ESP traffic. Additionally, if the esp-ike fixup is on, ISAKMP cannot be turned on any interface.

sincerely

Patrick