cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
393
Views
0
Helpful
5
Replies

VPN clients 3.6 behind a firewall cannot connect to PIX vpn site

tomas.lada
Level 1
Level 1

Hello

I configured for one client PIX firewall vpn for remote client connection. They are connecting from their site but they have some firewall installed in this site. And it is a problem because, it blocks traffic for IPSEC connection i think. I told them to permit 500/UDP port for outgoing ISAKMP connection, but the problem still goes on. Is there some info about the outgoing ports, which must be allowed?

I don't know what type of firewall they use, but they are not able to run some debug log on it to check which ports are blocked for outgoing vpn traffic.....

The figure looks like this:

CLIENT SITE-----SOME_FIREWALL-----INTERNET--------PIX_FW-----MAIN_SITE

When clients connect to ISP via dial-up and then connect to PIX, it works well, because the traffic is not blocked.

Thank you for reply

Regards

Tomas Lada

5 Replies 5

d-garnett
Level 3
Level 3

from what i gather:

^

^

the clients are using cisco vpn client software.

^

they need a firewall that does VPN passthrough (on the non-pix side) (do you know what vendor that firewall is?, how many tunnels does it allow for passthrough? some cheap firewalls only allow 1 tunnel)

-----------

is udp 500/ike permitted to pass through the non-pix firewall, if not then the initial key exchange in phase 1 will not take place.

^

if it is permitted, then,

^

are you using esp (ip 50) or ah (ip 51) for the ipsec data sessions? one will need to be allowed in on the other side (non-pix) for the data sessions to take place (again vpn passthrough).

^

is sysopt connection permit-ipsec command configured on the pix?

Hello

sysopt connection permit-ipsec is configured on the pix fw. 500/udp port is allowed on the non-pix firewall too. I use ESP 3DES for IPSec session.

Now i try to know what type of firewall (non pix side) is used in the remote location and i will give you a feedback.

Thank you

Tomas Lada

yizhar
Level 1
Level 1

HI.

Upgrading your pix to version 6.3 can solve this problem, because the new pix version supports "VPN NAT Traversal":

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn63.htm#65230

The client already supports this but your pix does not (or does it)?

Another workaround is to install a terminal server at your side (or proxy or SSH or something like that), and at your pix firewall, allow connections to that server from the network of that remote client. This combined with application level authentication and encryption can be also a secure enough solution.

Yizhar

The "SOME_FIREWALL" would have to allow outbound UDP 500 and IP Protocol 50 (ESP) and 51 (AH if you are using AH) (ESP AND AH would have to be allowed inbound as well) AND have a one to one static NAT translation to the machine on the inside / OR / support ESP passthru (which you would then be limited to only one machine on the "CLIENT_SITE" network accessing your Pix via VPN)

OR

You could as Yizhar said upgrade to 6.3 on your firewall and use the nat traversal feature - which would require the "SOME_FIREWALL" to allow UDP 4500 outbound.

Regards,

Hello

thaks a lot for your reply. Man who maintain "SOME_FIREWALL" sent me a config file and was suprising, because the "SOME_FIREWALL" looks like Cisco 1600 :-) configured with some access lists. So I send him two config lines which allow ESP and he done it for me. Now it is working ok.

Thank you

Tomas Lada

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: