Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

using vpn client behind a firewall

Hi all.

I want to use the vpn client behind a firewall. We have a pix between our internet connection and the inside. I want to be able to vpn to customer networks from our internal network rather than dialing up to the internet all the time. Anyone know what i have to permit on the pix for this to happen?

Cisco Employee

Re: using vpn client behind a firewall

Whether doing IPSec or PPTP (you don't specify), the problem is that you're probably doing PAT on the PIX. PAT and IPSec/PPTP don't work well together, particularly through a PIX (in fact, 6.3 code due out next year will have support for one IPSec and one PPTP tunnel going through a PIX with PAT, but that doesn't help you much now).

The only way around this at the moment is to create a static one-to-one translation for your inside PC on the PIX, but of course that means you need a second global IP address. If you're coming from the inside, you'll also need to create conduits/ACL's to allow IP protocol 50 (IPsec, actually ESP) or IP protocl 47 (PPTP, actually GRE) to come back in, cause the PIX won't open a hole for these automatically cause they're not TCP/UDP protocols.

CreatePlease login to create content