Re: PIX 501 IPSEC ESP(50) HOW TO

tnathe · ‎11-14-2007

Hello,

I searched the forum, but didn't find anything on this topic, so I apologize if this has been covered before.

This PIX 501 was already configured when I came on board here, and I'm having trouble configuring it to allow us to connect to an offsite VPN server with one of our internal VPN clients behind the firewall.

I was given a list of ports that had to be opened, and I have opened all those on the PIX (I think), but the error I am getting when trying to log into the VPN server indicates that IKE authentication is not going through.

This is supposed to take place via IPSEC ESP(50). How do I enable that on the PIX 501?

I have attached the running config.

Thanks in advance for any help.

smalkeric · ‎11-20-2007

What kind of device are these clients connecting to ?

Is this device behind a NAT/PAT device ?

Is a PPTP client in front of the PIX (or at any other location) able to connect ?

tnathe · ‎11-20-2007

Not sure exactly what kind of servers are on the other end. Yes, other clients can connect to the VPN, just not the clients behind this PIX.

I just spent a couple hours on the phone with a cisco tech and he says that IPSEC esp(50) will not work with my current configuration because I am using PAT.

He suggested getting an extra public ip from our ISP and doing a static to one machine and then the client on that one machine could connect to the remote VPN servers. Problem is I need the client on 5 machines behind the PIX.

I am sure there must be a workaround, (other than just opening the firewall completely).