Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN from behind a PIX


I have someone on our internal network that needs to vpn to a customer's site. I've set up a rules on the outside interface allowing pptp and gre from the server that the person is connecting to, to our internal network. The user is able to connect and authenticate, but after that they are not able to get to any of the servers on their customer's site.

The person is using the checkpoint vpn client to connect.

Any help is greatly appreciated.

Community Member

Re: VPN from behind a PIX

Just went through this process (except client was Cisco and firewall was FWSM context). Try enabling esp inbound:

access-list whatever extended permit esp host server any

or something like that. If that doesn't work, make sure you have an explicit "deny ip any any log" at the end of your inbound acl, have the level set correctly, and review the log. You should messages sourced from the server being denied, which will tell you what you need to allow.

Community Member

Re: VPN from behind a PIX

Unless you are using IPSec over TCP, you will need a 1 for 1 NAT. Standard IPSec does not work properly through a PAT'ed address.

CreatePlease to create content