04-22-2003 06:46 AM - edited 02-21-2020 12:29 PM
Hello
I configured for one client PIX firewall vpn for remote client connection. They are connecting from their site but they have some firewall installed in this site. And it is a problem because, it blocks traffic for IPSEC connection i think. I told them to permit 500/UDP port for outgoing ISAKMP connection, but the problem still goes on. Is there some info about the outgoing ports, which must be allowed?
I don't know what type of firewall they use, but they are not able to run some debug log on it to check which ports are blocked for outgoing vpn traffic.....
The figure looks like this:
CLIENT SITE-----SOME_FIREWALL-----INTERNET--------PIX_FW-----MAIN_SITE
When clients connect to ISP via dial-up and then connect to PIX, it works well, because the traffic is not blocked.
Thank you for reply
Regards
Tomas Lada
04-22-2003 08:28 AM
from what i gather:
^
^
the clients are using cisco vpn client software.
^
they need a firewall that does VPN passthrough (on the non-pix side) (do you know what vendor that firewall is?, how many tunnels does it allow for passthrough? some cheap firewalls only allow 1 tunnel)
-----------
is udp 500/ike permitted to pass through the non-pix firewall, if not then the initial key exchange in phase 1 will not take place.
^
if it is permitted, then,
^
are you using esp (ip 50) or ah (ip 51) for the ipsec data sessions? one will need to be allowed in on the other side (non-pix) for the data sessions to take place (again vpn passthrough).
^
is sysopt connection permit-ipsec command configured on the pix?
04-22-2003 11:06 PM
Hello
sysopt connection permit-ipsec is configured on the pix fw. 500/udp port is allowed on the non-pix firewall too. I use ESP 3DES for IPSec session.
Now i try to know what type of firewall (non pix side) is used in the remote location and i will give you a feedback.
Thank you
Tomas Lada
04-23-2003 12:56 PM
HI.
Upgrading your pix to version 6.3 can solve this problem, because the new pix version supports "VPN NAT Traversal":
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn63.htm#65230
The client already supports this but your pix does not (or does it)?
Another workaround is to install a terminal server at your side (or proxy or SSH or something like that), and at your pix firewall, allow connections to that server from the network of that remote client. This combined with application level authentication and encryption can be also a secure enough solution.
Yizhar
04-23-2003 04:38 PM
The "SOME_FIREWALL" would have to allow outbound UDP 500 and IP Protocol 50 (ESP) and 51 (AH if you are using AH) (ESP AND AH would have to be allowed inbound as well) AND have a one to one static NAT translation to the machine on the inside / OR / support ESP passthru (which you would then be limited to only one machine on the "CLIENT_SITE" network accessing your Pix via VPN)
OR
You could as Yizhar said upgrade to 6.3 on your firewall and use the nat traversal feature - which would require the "SOME_FIREWALL" to allow UDP 4500 outbound.
Regards,
04-24-2003 03:17 AM
Hello
thaks a lot for your reply. Man who maintain "SOME_FIREWALL" sent me a config file and was suprising, because the "SOME_FIREWALL" looks like Cisco 1600 :-) configured with some access lists. So I send him two config lines which allow ESP and he done it for me. Now it is working ok.
Thank you
Tomas Lada
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: