Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
0
Helpful
5
Replies

Can't make outbound VPN

dkramkowski
Level 1
Level 1

‎03-07-2003 05:53 AM - edited ‎02-21-2020 12:23 PM

I just got a PIX 515E installed on wednesday, and I found that I can't make an outbound VPN connection. It will go as far as Verifying Username and password, but will go no further. I had the same problem with the 2611 router that was functioning as our firewall, but I figured that it had something to do with the fact that the router was doing more than it was supposed to do. Any ideas why it's doing this and how to fix it?

Thanks

Labels:
0 Helpful
5 Replies 5

0rsnaric
Level 1
Level 1

‎03-07-2003 10:11 AM

Which VPN client are you using?

There are some inbound ports you will need to open up for vpn connectivity.

For Cisco's 3.X client, try udp port 500, and IP port esp. Also you may need to open either udp port 10000, or udp port 4500. Check your syslog to see which packets are trying to get back in to verify this.

For Windows VPN client try opening IP GRE.

Some clients also require IP AH.

Hope that helps

~rls

0 Helpful

dkramkowski
Level 1
Level 1
In response to 0rsnaric

‎03-07-2003 10:32 AM

I should've mentioned that in my first post. I always forget the important little details. I'm using Windows 2000/XP PPTP VPN (XP Client, 2000 Server). If I get a PIX 501 or 506, or some other router/firewall that supports L2TP for home, I will probably start using 3DES L2TP. I don't know if there will be something I will have to set up differently to use L2TP, but I don't think that's in the near future.

0 Helpful

0rsnaric
Level 1
Level 1
In response to dkramkowski

‎03-07-2003 11:00 AM

Then you should be okay by opening IP GRE. You may also need to open TCP port 1723.

~rls

0 Helpful

dkramkowski
Level 1
Level 1
In response to 0rsnaric

‎03-07-2003 11:19 AM

I found a document on permitting PPTP connections through the PIX. It says that static mappings must mbe made. Is there any way to tell the PIX to allow GRE to any host that is initiating PPTP from the inside, or must I set up static routes?

0 Helpful

0rsnaric
Level 1
Level 1
In response to dkramkowski

‎03-07-2003 11:45 AM

Since the pptp client initiates the connection on tcp 1723 the pix doesn't match the inbound gre connection against the xlate table and so drops the packet in the absence of a permitting conduit or ACL.

You will either need to do a permit all gre for those addresses used with the nat/global statement, or only allow gre inbound for those addresses assigned to vpn clients via static statements.

~rls

0 Helpful
Customers Also Viewed These Support Documents