Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

trouble with pix 515e

Hi,

Recently I got the troublesome task to manage an existing (and messy) network.

The network is protected by a PIX 515e, and i'm having trouble allowing VPN connections to pass through it. As matter of fact, I can not even allow the users to ping hosts on the internet, despite the fact that the ACLs are seem to be fine.

Let me post the config here, some of you might be able to point out the error.

Also, i'm not 100% familiar with this config, since i did not make it, and there are devices (the router for example) which is not managged by me, thus i can not access.

http://mmcomp.adsl.datanet.hu/~mcdouglas/pix515e.txt

Don't ask my why, but the 150 local user is connected to the DMZ interface of the pix, and only the servers are located on the inside interface.

Thank you.

4 REPLIES
Silver

Re: trouble with pix 515e

The solution that I use to allow any type of client vpn connection to connect from behind my firewall is this:

access-list vpn_client permit esp any any

access-list vpn_client permit gre any any

access-list vpn_client permit udp any any eq 500

global (outside) 50 x.x.x.100-x.x.x.104 netmask 255.255.255.x

nat (inside) 50 access-list vpn_client

The access list should catch nearly any vpn traffic and translate it to an address in the global pool instead of getting PATed like other traffic. This works well for me.

HTH pls rate!

New Member

Re: trouble with pix 515e

Thank you for your answer.

Right now I can't test your suggestion, but will do in the morning. However, as far as i know udp port 500 is needed for ISAKMP/IPSEC Key Management.

Am I not supposed to open tcp port 1723 also? PPTP Control Connection needs it afaik. Correct me if i'm wrong.

I'm not certain I fully understand the global pool and the nat statements, since I never had to deal with them. Of cours i'll look over the subject in my references, but i'd appriciate if you could explain it a bit more detailed.

Thanks again.

New Member

Re: trouble with pix 515e

In simple terms.

Nat pool the range of ip address to be nated and the interface they exist on. The nat pool specifies the range of the real ip addresses used by the hosts.

Global pool, the range of ip addresses the nat pool will be changed/translated to when going through the specified interface.

HTH

New Member

Re: trouble with pix 515e

if you use pptp, and the later 6.3 code you need fixup pptp to avoid having to give each host behind the pix a static nat (for gre) which does not pat translate without the newer fixup.

It will also require GRE/tcp 1723 in the ACL to allow this vpn traffic.

106
Views
3
Helpful
4
Replies