PIX Dynamic IP VPN, remote desktop administration

rsmith · ‎07-14-2006

We have a PIX 515 (yes this is an older, not an "E" version), running 7.0(2) code. There are a handful of PIX 501 running Point-to-point VPN (static public IP addresses), and another handful of PIX 501 that have dynamic public IP addresses that use dynamic VPN on the 515. All tunnels work, and the remote sites can get to all resources. The issue is that none of our core tools, including ping, remote desktop administration, etc. can get to the dynamic remotes sites. Most of these sites are "always on", and I can see the remote PC connections to core resources in the 515 and in the 501 when I SSH into them. Is there an issue with my configuration, or is there another problem with this? Attached is the configuration of the PIX 515.

nefkensp · ‎07-15-2006

There are two things that can make that you can't reach the other sites of the tunnel:

1) NAT

Have you specifically configured your central pix to disable nat for the remote site destinations, e.g.

access-list nonat permit ip

nat (inside) 0 access-list nonat

2) Access-lists

If there is an inbound accesslist on the PIX515, if it doesn't allow for traffic to the remote sites (bear in mind, traffic that is a new tcp/udp connection) and the sysopt connection permit-ipsec command is not given, then it will not be possible for you to go to the remote sites.

So, there are two things you have to check:

1) nat 0 rules (e.g. disable nat for traffic that matches the specified accesslist

2) sysopt connection permit-ipsec command, it has to be given.

Hope these two pointers help you out