Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

trouble with outound VPN from behind PIX

End users of ours are not able to connect via VPN to a client in Chicago from within our network. They can connect from home or from other remote locations. They are using the cisco vpn client to connect, anything that you know of that could be blocking from inside our world? is there a fixup we need to have enabled or an ACL that needs to be running? We have a 506 with the latest IOS running. thoughts?

6 REPLIES
Gold

Re: trouble with outound VPN from behind PIX

you may need to permit esp on the pix506

New Member

Re: trouble with outound VPN from behind PIX

And possibly UDP 500 along with esp

Gold

Re: trouble with outound VPN from behind PIX

just wondering how you go.

Gold

Re: trouble with outound VPN from behind PIX

add the below entry to the existing acl nrc,

access-list NRC permit esp any any

another quick question, just wondering whether the vpn client pool or the remote lan is overlapping with your lan.

e.g. according to your pix config, "ip address inside 192.168.1.254 255.255.255.0". maybe the vpn client assigned ip or the remote lan (i.e. your client in Chicago) is also 192.168.1.0/24.

Re: trouble with outound VPN from behind PIX

Like said in other posts, you possibly need to permit isakmp and esp on your access-lists. Plus do you have an ACL on the inside interface of the PIX ?

New Member

Re: trouble with outound VPN from behind PIX

We are also terminating a VPN on the outside interface and that is working fine. Only internal hosts can not get out while behind the PIX. If they are remote they can connect to the other site just fine. Attached is the config with public IPs changed to all being 1.1.1.1. It may have to do with the outbound ACLs that have limited IP ranges?

Thanks.

112
Views
0
Helpful
6
Replies