Re: VPN Client going through Pix Firewall

murphyw · ‎11-03-2006

Hi everyone,

I am a little stuck with something. I have configured my Pix Firewall to allow ESP/AH & IKE (also through the access-list and the computer running the VPN Client is struggling connecting (seems to connect ok but then drops). It seems work when i do a "permit ip any any".

So, once the VPN is established and we have the VPN IP Address, does this ever get seen by the pix ?

m.sir · ‎11-03-2006

Did you also permited UDP port 4500 ???? It used for nat traversal

M.

murphyw · ‎11-03-2006

Hi,

Yes, UDP 4500 is also enabled.

Cheers

Wayne

murphyw · ‎11-03-2006

More Info;

I am getting ICMP traffic as part of the connection ? Anyone understand what this capture is saying ?

Thanks in advance

1: 13:48:00.852967 a.b.c.d.53 > 172.16.0.25.1032: udp 47

2: 13:48:00.906981 172.16.0.25.500 > w.x.y.z.500: udp 394

3: 13:48:01.017256 w.x.y.z.500 > 172.16.0.25.500: udp 286

4: 13:48:01.069149 172.16.0.25.1200 > w.x.y.z.500: udp 76

5: 13:48:01.089228 w.x.y.z.500 > 172.16.0.25.1200: udp 68

6: 13:48:01.089808 172.16.0.25.1200 > w.x.y.z.500: udp 92

7: 13:48:05.249239 w.x.y.z.500 > 172.16.0.25.1200: udp 60

8: 13:48:05.266465 w.x.y.z.500 > 172.16.0.25.1200: udp 140

9: 13:48:05.270783 172.16.0.25.1200 > w.x.y.z.500: udp 84

10: 13:48:05.330732 w.x.y.z.500 > 172.16.0.25.1200: udp 372

11: 13:48:05.422387 172.16.0.25.1200 > w.x.y.z.500: udp 324

12: 13:48:05.491612 w.x.y.z.500 > 172.16.0.25.1200: udp 52

13: 13:48:09.245501 172.16.0.25.1201 > w.x.y.z.10001: udp 124

14: 13:48:09.265016 172.16.0.25.1201 > w.x.y.z.10001: udp 76

15: 13:48:09.269471 172.16.0.25.1201 > w.x.y.z.10001: udp 196

16: 13:48:09.560090 172.16.0.25.1201 > w.x.y.z.10001: udp 84

17: 13:48:09.887847 172.16.0.25.1201 > w.x.y.z.10001: udp 76

18: 13:48:09.981623 172.16.0.25.1201 > w.x.y.z.10001: udp 124

19: 13:48:10.731651 172.16.0.25.1201 > w.x.y.z.10001: udp 124

20: 13:48:11.481649 172.16.0.25.1201 > w.x.y.z.10001: udp 124

21: 13:48:12.231936 172.16.0.25.1201 > w.x.y.z.10001: udp 124

22: 13:48:12.263032 172.16.0.25.1201 > w.x.y.z.10001: udp 196

23: 13:48:12.544130 172.16.0.25.1201 > w.x.y.z.10001: udp 84

24: 13:48:12.981653 172.16.0.25.1201 > w.x.y.z.10001: udp 124

25: 13:48:13.731712 172.16.0.25.1201 > w.x.y.z.10001: udp 124

26: 13:48:14.481679 172.16.0.25.1201 > w.x.y.z.10001: udp 124

27: 13:48:15.232257 172.16.0.25.1201 > w.x.y.z.10001: udp 124

28: 13:48:15.232776 172.16.0.25.1201 > w.x.y.z.10001: udp 124

29: 13:48:15.263078 172.16.0.25.1201 > w.x.y.z.10001: udp 196

30: 13:48:15.981699 172.16.0.25.1201 > w.x.y.z.10001: udp 124

31: 13:48:15.981806 172.16.0.25.1201 > w.x.y.z.10001: udp 124

32: 13:48:16.731712 172.16.0.25.1201 > w.x.y.z.10001: udp 124

33: 13:48:16.731788 172.16.0.25.1201 > w.x.y.z.10001: udp 124

34: 13:48:17.481817 172.16.0.25.1201 > w.x.y.z.10001: udp 124

35: 13:48:17.481908 172.16.0.25.1201 > w.x.y.z.10001: udp 124

36: 13:48:18.232806 172.16.0.25.1201 > w.x.y.z.10001: udp 188

37: 13:48:18.233126 172.16.0.25.1201 > w.x.y.z.10001: udp 204

38: 13:48:18.559770 172.16.0.25.1201 > w.x.y.z.10001: udp 84

39: 13:48:19.731743 172.16.0.25.1201 > w.x.y.z.10001: udp 188

40: 13:48:21.231845 172.16.0.25.1201 > w.x.y.z.10001: udp 188

41: 13:48:22.731758 172.16.0.25.1201 > w.x.y.z.10001: udp 188

42: 13:48:23.000900 w.x.y.z.500 > 172.16.0.25.1200: udp 76

43: 13:48:23.001815 172.16.0.25.1200 > w.x.y.z.500: udp 68

44: 13:48:30.599044 172.16.0.25.1200 > w.x.y.z.500: udp 76

45: 13:48:30.620985 w.x.y.z.500 > 172.16.0.25.1200: udp 68

46: 13:48:30.621092 w.x.y.z.500 > 172.16.0.25.1200: udp 76

47: 13:48:30.621351 172.16.0.25 > w.x.y.z: icmp: 172.16.0.25 udp port 1200 unreachable

48: 13:48:30.621397 172.16.0.25 > w.x.y.z: icmp: 172.16.0.25 udp port 1200 unreachable