Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client 3.0.4 (C) fails behind 501

I have just recently switched to using a pix 501 from a Linksys RVS4000. Using the RVS4000, I was able to establish an IPSEC VPN through that fw, but I've been unable to get the configuration correct for the PIX 501. It is supposed to support IPSEC Passthrough to allow the VPN.

The Connection establishes but I don't get any response from the remote. Probably because of the NAT that is happening.

Is there a way to configure the 501 to allow two way communication using the VPN client behind it? BTW, I am connecting to another 501 in the remote location.

Thanks,

Tony...

16 REPLIES

Re: VPN Client 3.0.4 (C) fails behind 501

Tony, if using cisco vpn client you need to allow the Ipsec vpn ports udp 500, udp 4500 and esp protocol 50, create an ACL in your firewall and allow these ports outbound.

e.g

access-list 101 permit udp any any eq 500

access-list 101 permit udp any any eq 4500

access-list 101 permit esp any any

access-group 101 in interface inside

Rate any helpfull post

HTH

Jorge

New Member

Re: VPN Client 3.0.4 (C) fails behind 501

Jorge,

I reset the unit to defaults and added the ACL as you have it here, but without any luck. I still get a VPN connection, just no return traffic.

Tony...

Bronze

Re: VPN Client 3.0.4 (C) fails behind 501

Hi Tony,

If I understood it correctly , you are trying to connect VPN gateway from you desktop VPN client software ( IPSEC, Client to site setup) and at the client end, requests have to pass through the firewall.

and you are suspecting that client end 501 is blocking the request.

Client --> Firewall (501) --> VPN gateway (501)

If I have described your problem correctly, could you tell what ports you have allowed on the firewall for client to vpn gatweay traffic ?

" best way to troubleshoot this scenario is turn debugging on the firewall and try conencting vpn frm desktop and check what all request are getting block"

New Member

Re: VPN Client 3.0.4 (C) fails behind 501

Currently it is pretty much the default configuration. I do have it set up as a VPN Svr for remote connections when away from this office, but other than that, there are no other ACLs configured.

And you are correct, the network configuration is:

CVPN Client -> Pix 501(1) -> internet -> Pix 501(2) VPN Svr. It's the Pix 501(1) that is new and that I cannot get the IPSEC vpn through.

Tony...

Re: VPN Client 3.0.4 (C) fails behind 501

Tony, perhaps I misunderstood, you are seting up the firewall to do LAN to LAN VPN connection with remote peer, or using cisco vpn client to tunnel into PIX-501(2) ?

New Member

Re: VPN Client 3.0.4 (C) fails behind 501

Jorge,

I am using Cisco VPN client to tunnel in to Pix501(2). I also need Pix501(2) set up as a termination point for VPNs from clients when not on the local network. This last part works like a champ, I just cannot get the return VPN data through Pix501(2) when the client is behind it.

Thanks,

Tony...

Bronze

Re: VPN Client 3.0.4 (C) fails behind 501

Hi Tony,

I was asking abt acl configured at the

501(1) side.

In order to let the vpn traffic pass through 501(1), you must have allowed some ports for source ip - cvpn client

destination - 501(2)

can you post the config of 501(1) without ip address ?

in meanwhile you can try to troubleshoot the way i told you " turn debugging on 501(1) and try to connect vpn from client and check for logs at 501(1)"

rgds

rajat

New Member

Re: VPN Client 3.0.4 (C) fails behind 501

Rajat,

When not behind Pix501(2), the vpn client connects to Pix501(1) without problems. Only when the client is behind Pix501(2) do I not get the return data. The client connects, just doesn't get the data responses from 501(1).

This is not a 501-501 VPN. It's a VPN client(PC) to 501(1) from behind 501(2).

Thanks,

Tony...

New Member

Re: VPN Client 3.0.4 (C) fails behind 501

Rajat,

BTW, here is the config from Pix501(1). It's in the attachment.

Tony...

Bronze

Re: VPN Client 3.0.4 (C) fails behind 501

Hi Tony,

I think then there is some confusion. Previously I have made the connectivity flow and placed client (pc) behind 501(1) and you said its correct and now you are saying that client is behind 502(2).

as you are now saying is client is behind the 501(2) so now it should look like

VPN gateway 501(1)<-->Internet<-->501(2)firewall<--> client (pc)

and one important thing you have mentioned now is that vpn works when you connect pc to internet without 502(2)

this setup works well

VPN gateway 501(1)<-->Internet<--> client (pc)

** kindly confirm is this connectivity flow is correct this time.

if yes then-

it clearly shows that something is not right with 502(2), what i am suspecting is may there is some extra port that you have open to make the 'client to site' vpn work for pix as vpn gateway.

because in this scenario you have changed the vpn gateway and have done the testing directly from internet and it works well. only when you put a firewall in front of client (pc), there is problem.

so all these thing point to 502(2) only and may be you have to open some more ports there.

look still the solution remain the same,

need info about what all ports you have allowed in 501(2)?

and check the debugging log for 501(2), have you got something there ?

rgds

rajat

New Member

Re: VPN Client 3.0.4 (C) fails behind 501

Rajet,

Thanks for your help with this. Your configuration flow is correct. This small business has two locations with separate Internet access and they need to VPN in to each other at times. So both of the firewalls are configured to be VPN gateways as well as needing to have VPN clients behind them to connect to the opposite site. (Yes I know there are other configs that could work, but this is what they want to do.)

I have attached the Pix501(2) config as well as a packet trace during VPN Client test. This client was behind 501(2). BTW, the VPN gateway in this trace is pix501(1).

I have attempted to open ports 500, 4500 and esp on 501(2) with no success. In any case here is the stuff.

Thanks again!

Tony...

Bronze

Re: VPN Client 3.0.4 (C) fails behind 501

Hi Tony

i have couple of things to say -

- As a vpn gateway , i donnt have any question mark on 501(1) as client is able to connect to the vpn gateway without firewall in front.

- you have send the packet capture , i think you have captured it from client pc interface.

few things are pretty clear from that vpn gateway is sending the reply and the response is there for ICMP that you have tried. i hope you were able to ping the gateway.

and when you try to connect vpn it does try to connect on port 500 and gateway reply is also there but somehow there is no packet exchange after that.

this means ike is not getting through.

but you have tested the vpn successfully by placing the desktop directly on internet, i hope you are using the same desktop while connecting it from behind the firewall

501(2).

and you have pptp. l2tp and ipsec all configured on ur pix, what mode you basically using to connect to this gateway ? also which client you are using? is this cisco vpn client or windows vpn client ?

also try to get the debug logs from pix

- logging host

- logging trap debugging

- If needed, set the logging facility

- logging on

you install syslog software on desktop, you can use 3com syslog, its freeware.

aftr collecting the logs, do remember to disable the logging, debugging does put a load on the firewall.

HTH

rgds

rajat

New Member

Re: VPN Client 3.0.4 (C) fails behind 501

I am having the same problem with a PIX 515 and an ASA as the VPN server for the clients. Have you found a solution yet? If I am able to find one I'll also post it here.

Thanks,

Robert

New Member

Re: VPN Client 3.0.4 (C) fails behind 501

No solution as yet. Haven't had a lot of time to work on it either. If I get the solution I will post it.

Tony...

New Member

Re: VPN Client 3.0.4 (C) fails behind 501

I was able to resolve this issue by adding the following command on my ASA that was acting as the VPN server.

isakmp nat-traversal 20

Hope that helps!

New Member

Re: VPN Client 3.0.4 (C) fails behind 501

Well, I've tried that before, BUT...no one said it needed to be at the far end. Since I am going through one Pix to terminate the tunnel at another, and it worked fine if the VPN Client was in the wild (internet connected outside of the firewall), I didn't suspect the far end being the problem. I should have though.

I added that statement to both side and now I have data passing and can get to the resources at the other end.

Thanks for adding the statement, "acting as the VPN server". That did it!

Tony...

249
Views
0
Helpful
16
Replies