03-07-2003 05:53 AM - edited 02-21-2020 12:23 PM
I just got a PIX 515E installed on wednesday, and I found that I can't make an outbound VPN connection. It will go as far as Verifying Username and password, but will go no further. I had the same problem with the 2611 router that was functioning as our firewall, but I figured that it had something to do with the fact that the router was doing more than it was supposed to do. Any ideas why it's doing this and how to fix it?
Thanks
03-07-2003 10:11 AM
Which VPN client are you using?
There are some inbound ports you will need to open up for vpn connectivity.
For Cisco's 3.X client, try udp port 500, and IP port esp. Also you may need to open either udp port 10000, or udp port 4500. Check your syslog to see which packets are trying to get back in to verify this.
For Windows VPN client try opening IP GRE.
Some clients also require IP AH.
Hope that helps
~rls
03-07-2003 10:32 AM
I should've mentioned that in my first post. I always forget the important little details. I'm using Windows 2000/XP PPTP VPN (XP Client, 2000 Server). If I get a PIX 501 or 506, or some other router/firewall that supports L2TP for home, I will probably start using 3DES L2TP. I don't know if there will be something I will have to set up differently to use L2TP, but I don't think that's in the near future.
03-07-2003 11:00 AM
Then you should be okay by opening IP GRE. You may also need to open TCP port 1723.
~rls
03-07-2003 11:19 AM
I found a document on permitting PPTP connections through the PIX. It says that static mappings must mbe made. Is there any way to tell the PIX to allow GRE to any host that is initiating PPTP from the inside, or must I set up static routes?
03-07-2003 11:45 AM
Since the pptp client initiates the connection on tcp 1723 the pix doesn't match the inbound gre connection against the xlate table and so drops the packet in the absence of a permitting conduit or ACL.
You will either need to do a permit all gre for those addresses used with the nat/global statement, or only allow gre inbound for those addresses assigned to vpn clients via static statements.
~rls
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide