Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN client through firewall

I have a user who needs to access our 3005 through a firewall at a remote site, where we have no control over the network. He can connect via Windows PPTP connection but can't access any resources (though he can ping all hosts on our network), and he can't connect at all via IPSEC with the Cisco VPN client software (running on W2K workstation)--he gets the "remote peer has disconnected" message. Other users accessing from home or sites with no firewalls have no problems either way. The network admin at the other end verified that IPSEC is open on the firewall, but obviously there's something else going on. Is there anything else on the firewall that could be causing problems? It's a Sonic Wall; beyond that I don't know anything about it.

2 REPLIES
Bronze

Re: VPN client through firewall

If you are getting "remote peer has disconnected" message, that means your concentrator is disconnecting the tunnel. Please enable severity to log for the following classes:IKE, IKEDBG, IPSEC, IPSECDBG

Jazib

Cisco Employee

Re: VPN client through firewall

Hi,

1. Have the user use a dial up connection to the internet and make an IPSec connection to the VPN3000. If the connection goes OK, then you know the client is in good shape.

2. Now have the client connect from behind the firewall. If there is a Static translation for this user on the FW, then you need to make sure that UDP port 500 and Protocol 50(ESP) is not being blocked.

3. If the FW is doing PAT, then use the option IPSec over UDP or TCP.

Different Scenarios:

1. Using UDP Port 500 and Protocol 50:

This connection is from users who are not sitting behind a PAT device and in this case you need to make sure that UDP Port 500 and Protocol 50 is not being blocked anywhere.

2. Using UDP Port 500 and UDP Port 10000(Default) -- IPSec Over UDP

This is when you have users sitting behind a PAT device and in this case you need to make sure that UDP Port 500 and UDP Port 10000 is not being blocked.

In the above setup the IKE packet is in UDP Port 500 and the IPSec packet is wrapped in UDP Port 1000.

The default value of IPSec Over UDP is 10000, which is configurable.

3. Using TCP 10000 -- IPSec Over TCP

This is when you have users sitting behind a PAT device and in this case you need to make sure that TCP Port 10000 is not being blocked.

In the above set up both the IKE and IPSec packet using TCP Port 10000.

The default value of IPSec Over TCP is 10000, which is configurable.

You can discuss these options with the FW Admin and see if he/she can assist you to get the user up and running. But, in the first place have the user use a dial up connection and test it.

Regards,

Arul

197
Views
0
Helpful
2
Replies
CreatePlease to create content