Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
4
Replies

VPN client through 515 to 501

matthew.bauer
Level 1
Level 1

‎02-02-2004 01:54 PM - edited ‎02-21-2020 01:01 PM

Hey all,

We have a VPN Client that needs to pass through our 515 to a 501.

I have created 2 ACL's

access-list outbound_traffic permit esp object-group ComputerServices host XX.XXX.XXX.XXX

access-list outbound_traffic permit udp object-group ComputerServices host XX.XXX.XXX.XXX eq isakmp

I can now connect to the remote 501, but I can't get PCanywhere to work. I have created to ACL's to allow PCanywhere from the ComputerServices group.

access-list outbound_traffic permit tcp object-group ComputerServices host XX.XXX.XXX.XXX eq pcanywhere-data

access-list outbound_traffic permit udp object-group ComputerServices host XX.XXX.XXX.XXX eq pcanywhere-status

is there something that I am missing? a NAT statement, or some other concept?

Thanks

Matt

Labels:
0 Helpful
4 Replies 4

drolemc
Level 6
Level 6

‎02-06-2004 09:32 AM

A problem with NAT is definately a possibility. Any packet crossing the PIX must satisfy the conditions of NAT and the ASA. The access-lists will take care of ASA. To satisfy the conditions of NAT, you need to either explictly disable NAT or configure the appropriate NAT mappings. In addition, you could have a look at the document that describes how to allow IPSec traffic through a PIX.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml

0 Helpful

jackko
Level 7
Level 7

‎02-08-2004 03:47 PM

vpn client through 515 to 501? how does 515 and 501 connected? also i'm not too sure what you are trying to achieve with the second sets of access list.

assuming the 515 is directly connected to 501 and 501 is the client vpn termination:

On 515, all you need to do is to have a nat statement and access-l:

static (inside,outside) <501 public ip> <501 private ip> netmask 255.255.255.255 0 0

access-l xxx permit esp any host <501 public ip>

access-l xxx permit udp any host <501 public ip> eq isakmp

access-l xxx permit udp any host <501 public ip> eq 4500

access-g xxx in interface outside

then on 501 you should have standard vpn client configuration. ie. access-l for no-nat and interesting traffic etc.

hope this help

0 Helpful

matthew.bauer
Level 1
Level 1
In response to jackko

‎02-10-2004 01:08 PM

Hey,

Right now just the internet is connecting the two firewalls together. I have thought about a tunnel but I am not so sure on that.

Could you further explain the config on the 501 that you were talking about.

Thanks

Matt

0 Helpful

jackko
Level 7
Level 7
In response to matthew.bauer

‎02-11-2004 03:04 PM

ip local pool xxxpool 10.1.1.11-10.1.1.101

access-list 110 permit ip 10.1.1.0 255.255.255.0

nat (inside) 0 access-list 110

vpngroup vpnclient address-pool xxxpool

vpngroup vpnclient dns-server xxx

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password ********

crypto ipsec transform-set xxxset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set xxxset

crypto map xxxvpn 10 ipsec-isakmp dynamic dynmap

crypto map xxxvpn interface outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp enable outside

in case you need further assistance, please post your config.

0 Helpful
Customers Also Viewed These Support Documents