I have just recently switched to using a pix 501 from a Linksys RVS4000. Using the RVS4000, I was able to establish an IPSEC VPN through that fw, but I've been unable to get the configuration correct for the PIX 501. It is supposed to support IPSEC Passthrough to allow the VPN.
The Connection establishes but I don't get any response from the remote. Probably because of the NAT that is happening.
Is there a way to configure the 501 to allow two way communication using the VPN client behind it? BTW, I am connecting to another 501 in the remote location.
Tony, if using cisco vpn client you need to allow the Ipsec vpn ports udp 500, udp 4500 and esp protocol 50, create an ACL in your firewall and allow these ports outbound.
access-list 101 permit udp any any eq 500
access-list 101 permit udp any any eq 4500
access-list 101 permit esp any any
access-group 101 in interface inside
Rate any helpfull post
I reset the unit to defaults and added the ACL as you have it here, but without any luck. I still get a VPN connection, just no return traffic.
If I understood it correctly , you are trying to connect VPN gateway from you desktop VPN client software ( IPSEC, Client to site setup) and at the client end, requests have to pass through the firewall.
and you are suspecting that client end 501 is blocking the request.
Client --> Firewall (501) --> VPN gateway (501)
If I have described your problem correctly, could you tell what ports you have allowed on the firewall for client to vpn gatweay traffic ?
" best way to troubleshoot this scenario is turn debugging on the firewall and try conencting vpn frm desktop and check what all request are getting block"
Currently it is pretty much the default configuration. I do have it set up as a VPN Svr for remote connections when away from this office, but other than that, there are no other ACLs configured.
And you are correct, the network configuration is:
CVPN Client -> Pix 501(1) -> internet -> Pix 501(2) VPN Svr. It's the Pix 501(1) that is new and that I cannot get the IPSEC vpn through.
Tony, perhaps I misunderstood, you are seting up the firewall to do LAN to LAN VPN connection with remote peer, or using cisco vpn client to tunnel into PIX-501(2) ?
I am using Cisco VPN client to tunnel in to Pix501(2). I also need Pix501(2) set up as a termination point for VPNs from clients when not on the local network. This last part works like a champ, I just cannot get the return VPN data through Pix501(2) when the client is behind it.
I was asking abt acl configured at the
In order to let the vpn traffic pass through 501(1), you must have allowed some ports for source ip - cvpn client
destination - 501(2)
can you post the config of 501(1) without ip address ?
in meanwhile you can try to troubleshoot the way i told you " turn debugging on 501(1) and try to connect vpn from client and check for logs at 501(1)"
When not behind Pix501(2), the vpn client connects to Pix501(1) without problems. Only when the client is behind Pix501(2) do I not get the return data. The client connects, just doesn't get the data responses from 501(1).
This is not a 501-501 VPN. It's a VPN client(PC) to 501(1) from behind 501(2).
I think then there is some confusion. Previously I have made the connectivity flow and placed client (pc) behind 501(1) and you said its correct and now you are saying that client is behind 502(2).
as you are now saying is client is behind the 501(2) so now it should look like
VPN gateway 501(1)<-->Internet<-->501(2)firewall<--> client (pc)
and one important thing you have mentioned now is that vpn works when you connect pc to internet without 502(2)
this setup works well
VPN gateway 501(1)<-->Internet<--> client (pc)
** kindly confirm is this connectivity flow is correct this time.
if yes then-
it clearly shows that something is not right with 502(2), what i am suspecting is may there is some extra port that you have open to make the 'client to site' vpn work for pix as vpn gateway.
because in this scenario you have changed the vpn gateway and have done the testing directly from internet and it works well. only when you put a firewall in front of client (pc), there is problem.
so all these thing point to 502(2) only and may be you have to open some more ports there.
look still the solution remain the same,
need info about what all ports you have allowed in 501(2)?
and check the debugging log for 501(2), have you got something there ?
Thanks for your help with this. Your configuration flow is correct. This small business has two locations with separate Internet access and they need to VPN in to each other at times. So both of the firewalls are configured to be VPN gateways as well as needing to have VPN clients behind them to connect to the opposite site. (Yes I know there are other configs that could work, but this is what they want to do.)
I have attached the Pix501(2) config as well as a packet trace during VPN Client test. This client was behind 501(2). BTW, the VPN gateway in this trace is pix501(1).
I have attempted to open ports 500, 4500 and esp on 501(2) with no success. In any case here is the stuff.
i have couple of things to say -
- As a vpn gateway , i donnt have any question mark on 501(1) as client is able to connect to the vpn gateway without firewall in front.
- you have send the packet capture , i think you have captured it from client pc interface.
few things are pretty clear from that vpn gateway is sending the reply and the response is there for ICMP that you have tried. i hope you were able to ping the gateway.
and when you try to connect vpn it does try to connect on port 500 and gateway reply is also there but somehow there is no packet exchange after that.
this means ike is not getting through.
but you have tested the vpn successfully by placing the desktop directly on internet, i hope you are using the same desktop while connecting it from behind the firewall
and you have pptp. l2tp and ipsec all configured on ur pix, what mode you basically using to connect to this gateway ? also which client you are using? is this cisco vpn client or windows vpn client ?
also try to get the debug logs from pix
- logging host
- logging trap debugging
- If needed, set the logging facility
- logging on
you install syslog software on desktop, you can use 3com syslog, its freeware.
aftr collecting the logs, do remember to disable the logging, debugging does put a load on the firewall.
I am having the same problem with a PIX 515 and an ASA as the VPN server for the clients. Have you found a solution yet? If I am able to find one I'll also post it here.
I was able to resolve this issue by adding the following command on my ASA that was acting as the VPN server.
isakmp nat-traversal 20
Hope that helps!
Well, I've tried that before, BUT...no one said it needed to be at the far end. Since I am going through one Pix to terminate the tunnel at another, and it worked fine if the VPN Client was in the wild (internet connected outside of the firewall), I didn't suspect the far end being the problem. I should have though.
I added that statement to both side and now I have data passing and can get to the resources at the other end.
Thanks for adding the statement, "acting as the VPN server". That did it!