02-02-2004 01:54 PM - edited 02-21-2020 01:01 PM
Hey all,
We have a VPN Client that needs to pass through our 515 to a 501.
I have created 2 ACL's
access-list outbound_traffic permit esp object-group ComputerServices host XX.XXX.XXX.XXX
access-list outbound_traffic permit udp object-group ComputerServices host XX.XXX.XXX.XXX eq isakmp
I can now connect to the remote 501, but I can't get PCanywhere to work. I have created to ACL's to allow PCanywhere from the ComputerServices group.
access-list outbound_traffic permit tcp object-group ComputerServices host XX.XXX.XXX.XXX eq pcanywhere-data
access-list outbound_traffic permit udp object-group ComputerServices host XX.XXX.XXX.XXX eq pcanywhere-status
is there something that I am missing? a NAT statement, or some other concept?
Thanks
Matt
02-06-2004 09:32 AM
A problem with NAT is definately a possibility. Any packet crossing the PIX must satisfy the conditions of NAT and the ASA. The access-lists will take care of ASA. To satisfy the conditions of NAT, you need to either explictly disable NAT or configure the appropriate NAT mappings. In addition, you could have a look at the document that describes how to allow IPSec traffic through a PIX.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml
02-08-2004 03:47 PM
vpn client through 515 to 501? how does 515 and 501 connected? also i'm not too sure what you are trying to achieve with the second sets of access list.
assuming the 515 is directly connected to 501 and 501 is the client vpn termination:
On 515, all you need to do is to have a nat statement and access-l:
static (inside,outside) <501 public ip> <501 private ip> netmask 255.255.255.255 0 0
access-l xxx permit esp any host <501 public ip>
access-l xxx permit udp any host <501 public ip> eq isakmp
access-l xxx permit udp any host <501 public ip> eq 4500
access-g xxx in interface outside
then on 501 you should have standard vpn client configuration. ie. access-l for no-nat and interesting traffic etc.
hope this help
02-10-2004 01:08 PM
Hey,
Right now just the internet is connecting the two firewalls together. I have thought about a tunnel but I am not so sure on that.
Could you further explain the config on the 501 that you were talking about.
Thanks
Matt
02-11-2004 03:04 PM
ip local pool xxxpool 10.1.1.11-10.1.1.101
access-list 110 permit ip
nat (inside) 0 access-list 110
vpngroup vpnclient address-pool xxxpool
vpngroup vpnclient dns-server xxx
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password ********
crypto ipsec transform-set xxxset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set xxxset
crypto map xxxvpn 10 ipsec-isakmp dynamic dynmap
crypto map xxxvpn interface outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp enable outside
in case you need further assistance, please post your config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide