Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
tomas.lada
tomas.lada
Community Member
‎04-22-2003 06:46 AM
‎04-22-2003 06:46 AM

VPN clients 3.6 behind a firewall cannot connect to PIX vpn site

Hello

I configured for one client PIX firewall vpn for remote client connection. They are connecting from their site but they have some firewall installed in this site. And it is a problem because, it blocks traffic for IPSEC connection i think. I told them to permit 500/UDP port for outgoing ISAKMP connection, but the problem still goes on. Is there some info about the outgoing ports, which must be allowed?

I don't know what type of firewall they use, but they are not able to run some debug log on it to check which ports are blocked for outgoing vpn traffic.....

The figure looks like this:

CLIENT SITE-----SOME_FIREWALL-----INTERNET--------PIX_FW-----MAIN_SITE

When clients connect to ISP via dial-up and then connect to PIX, it works well, because the traffic is not blocked.

Thank you for reply

Regards

Tomas Lada

0 Helpful
Reply
5 REPLIES
d-garnett
d-garnett
Community Member
‎04-22-2003 08:28 AM
‎04-22-2003 08:28 AM

Re: VPN clients 3.6 behind a firewall cannot connect to PIX vpn

from what i gather:

^

^

the clients are using cisco vpn client software.

^

they need a firewall that does VPN passthrough (on the non-pix side) (do you know what vendor that firewall is?, how many tunnels does it allow for passthrough? some cheap firewalls only allow 1 tunnel)

-----------

is udp 500/ike permitted to pass through the non-pix firewall, if not then the initial key exchange in phase 1 will not take place.

^

if it is permitted, then,

^

are you using esp (ip 50) or ah (ip 51) for the ipsec data sessions? one will need to be allowed in on the other side (non-pix) for the data sessions to take place (again vpn passthrough).

^

is sysopt connection permit-ipsec command configured on the pix?

0 Helpful
Reply
tomas.lada
tomas.lada
Community Member
‎04-22-2003 11:06 PM
‎04-22-2003 11:06 PM

Re: VPN clients 3.6 behind a firewall cannot connect to PIX vpn

Hello

sysopt connection permit-ipsec is configured on the pix fw. 500/udp port is allowed on the non-pix firewall too. I use ESP 3DES for IPSec session.

Now i try to know what type of firewall (non pix side) is used in the remote location and i will give you a feedback.

Thank you

Tomas Lada

0 Helpful
Reply
yizhar
yizhar
Community Member
‎04-23-2003 12:56 PM
‎04-23-2003 12:56 PM

Re: VPN clients 3.6 behind a firewall cannot connect to PIX vpn

HI.

Upgrading your pix to version 6.3 can solve this problem, because the new pix version supports "VPN NAT Traversal":

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn63.htm#65230

The client already supports this but your pix does not (or does it)?

Another workaround is to install a terminal server at your side (or proxy or SSH or something like that), and at your pix firewall, allow connections to that server from the network of that remote client. This combined with application level authentication and encryption can be also a secure enough solution.

Yizhar

0 Helpful
Reply
jasobrown
jasobrown
Community Member
‎04-23-2003 04:38 PM
‎04-23-2003 04:38 PM

Re: VPN clients 3.6 behind a firewall cannot connect to PIX vpn

The "SOME_FIREWALL" would have to allow outbound UDP 500 and IP Protocol 50 (ESP) and 51 (AH if you are using AH) (ESP AND AH would have to be allowed inbound as well) AND have a one to one static NAT translation to the machine on the inside / OR / support ESP passthru (which you would then be limited to only one machine on the "CLIENT_SITE" network accessing your Pix via VPN)

OR

You could as Yizhar said upgrade to 6.3 on your firewall and use the nat traversal feature - which would require the "SOME_FIREWALL" to allow UDP 4500 outbound.

Regards,

0 Helpful
Reply
tomas.lada
tomas.lada
Community Member
‎04-24-2003 03:17 AM
‎04-24-2003 03:17 AM

Re: VPN clients 3.6 behind a firewall cannot connect to PIX vpn

Hello

thaks a lot for your reply. Man who maintain "SOME_FIREWALL" sent me a config file and was suprising, because the "SOME_FIREWALL" looks like Cisco 1600 :-) configured with some access lists. So I send him two config lines which allow ESP and he done it for me. Now it is working ok.

Thank you

Tomas Lada

0 Helpful
Reply
Latest Documents
Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration
Created by Kureli Sankar on 04-19-2018 11:25 AM
0
0
0
0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin... view more
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
All Documents
96
Views
0
Helpful
5
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
70
36
70
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
20
2
20
All Blogs