PIX 525 protocol 50 session issue

gerheauserm · ‎08-23-2007

Am attempting to have a user build a VPN related session, from a node on the inside of my FW, to a VPN host at AT&T. I see the following session build on the FW:

<166>Aug 23 2007 08:38:13: %PIX-6-302015: Built outbound UDP connection 140948597 for outside:12.65.185.2/500 (12.65.185.2/500) to inside:172.17.28.169/1019 (192.77.126.50/663) (bhuffman)

<166>Aug 23 2007 08:40:17: %PIX-6-302016: Teardown UDP connection 140948597 for outside:12.65.185.2/500 to inside:172.17.28.169/1019 duration 0:02:03 bytes 3917 (bhuffman)

Yet, when what appears to be ths return session attampts to connect across my outside interface, I see the following:

<163>Aug 23 2007 08:40:14: %PIX-3-106011: Deny inbound (No xlate) protocol 50 src outside:12.65.185.2 dst outside:192.77.126.50

Am I missing something on my PIX FW config to allow vpn related traffic? FYI, this user is in a security group associated with an access-list on the firewall that allows ip any any outbound.

srue · ‎08-23-2007

Ipsec inspection. Enabling this will vary depending on what OS you're running (6.x or 7.x)

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/fixup.html#wp1094669

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1522169

gerheauserm · ‎08-23-2007

Am running 6.3(1), not exactly sure what you mean by Ipsec inspection. Under what menu option, or CLI command do I find this?

BTW, super appreciate the assistance.

srue · ‎08-23-2007

fixup protocol esp-ike

don't use this if you have VPN's terminated on the firewall though. You will then have to allow ipsec traffic into the firewall from the outside...udp 500 and udp 4500.

gerheauserm · ‎08-23-2007

ah, found it, will play, much thanks.