cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
290
Views
3
Helpful
4
Replies

trouble with pix 515e

tgregorics
Level 1
Level 1

Hi,

Recently I got the troublesome task to manage an existing (and messy) network.

The network is protected by a PIX 515e, and i'm having trouble allowing VPN connections to pass through it. As matter of fact, I can not even allow the users to ping hosts on the internet, despite the fact that the ACLs are seem to be fine.

Let me post the config here, some of you might be able to point out the error.

Also, i'm not 100% familiar with this config, since i did not make it, and there are devices (the router for example) which is not managged by me, thus i can not access.

http://mmcomp.adsl.datanet.hu/~mcdouglas/pix515e.txt

Don't ask my why, but the 150 local user is connected to the DMZ interface of the pix, and only the servers are located on the inside interface.

Thank you.

4 Replies 4

mmorris11
Level 4
Level 4

The solution that I use to allow any type of client vpn connection to connect from behind my firewall is this:

access-list vpn_client permit esp any any

access-list vpn_client permit gre any any

access-list vpn_client permit udp any any eq 500

global (outside) 50 x.x.x.100-x.x.x.104 netmask 255.255.255.x

nat (inside) 50 access-list vpn_client

The access list should catch nearly any vpn traffic and translate it to an address in the global pool instead of getting PATed like other traffic. This works well for me.

HTH pls rate!

Thank you for your answer.

Right now I can't test your suggestion, but will do in the morning. However, as far as i know udp port 500 is needed for ISAKMP/IPSEC Key Management.

Am I not supposed to open tcp port 1723 also? PPTP Control Connection needs it afaik. Correct me if i'm wrong.

I'm not certain I fully understand the global pool and the nat statements, since I never had to deal with them. Of cours i'll look over the subject in my references, but i'd appriciate if you could explain it a bit more detailed.

Thanks again.

In simple terms.

Nat pool the range of ip address to be nated and the interface they exist on. The nat pool specifies the range of the real ip addresses used by the hosts.

Global pool, the range of ip addresses the nat pool will be changed/translated to when going through the specified interface.

HTH

if you use pptp, and the later 6.3 code you need fixup pptp to avoid having to give each host behind the pix a static nat (for gre) which does not pat translate without the newer fixup.

It will also require GRE/tcp 1723 in the ACL to allow this vpn traffic.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: