Re: VPN client 4.0 behind a Pix

minoc · ‎12-16-2003

Hello all,

I have a VPN client 4.0 behind a Pix 525 trying to access a server who is connected to another Pix 535 (Internet).

The VPN client does create de VPN channel but when it tries to access the server on the remote Pix 535 it does not work.

The server is located not on the inside but on a DMZ interface.

I checked the Pix log and found a line saying:

deny udp src remote_Pix on outside interface 50

This means that the local pix is not allowing udp 50 from the remote Pix

So I created an access-list allowing udp 50 from remite_Pix to local_pix on interface outside.

But the VPN client could not access the server.

Any ideas?.

Carlos Roque

mostiguy · ‎12-16-2003

Yikes.

First question - can vpn users not behind the pix 525 successfully access that server which is on the 535's DMZ? If the answer is no, then the 535 probably needs some nat 0 access-list changes to ensure that DMZ - VPN client traffic does not get NAT'd.

UDP 50 isn't IPSec. ISAKMP uses UDP 500, and once the tunnel is up, it should either be ESP or AH protocol, or UDP 4500 is nat traversal is enabled. Are you sure you have the log message correct?

minoc · ‎12-17-2003

Correct VPN users not behind the 525 can access the server when setting up a VPN channel to the outside interface of the 535 Pix.

The access list mentioned indeed was related to udp 500 and not 50. I din't read the line correctly.

The nat 0 access-list VPNC line is setup on the 535 Pix running configuration.

Regards,

Carlos Roque

minoc · ‎12-26-2003

I found out the problem was. The 525 Pix was droping ESP and UDP 500 packets from the remote 535 Pix. So I setup an ACL to permit ESP and UDP 300 to the static IP of the VPN client.

Now is working as expected.

Regards,

Carlos Roque