10-24-2005 05:34 AM
Hi
We've got a pix 501 at our main site and a user trying to connect to remote sites via the Cisco VPN client 4.6. Some of the remote sites are Pix firewalls and some are routers w/ipsec. For some reason, the user can connect to these sites, but cant reach (ping, browse) anything within these remote sites. This used to work fine with our old firewall (instagate), but we just replaced this with a pix501...any ideas. Thanks.
Jason
10-24-2005 07:52 PM
net1 <--> pix <--> www/vpn <--> remote vpn client
net1 <--> pix <--> www/vpn <--> remote sites
assuming the topology above is accurate, and you are trying to allow remote vpn client to access the remote sites after the remote vpn established between the remote pc and the main site pix.
if my assumptions are all correct, then it unfortunate to say that the pix501 can't cope with this scenario.
with pix v6.x, the is a golden rule in restricting packet re-route back to the same interface.
e.g. remote pc encrypts and sends a request that destined for one of the remote sites. the main site pix receives the packet from the outside interface, decrypts it and tries to determine the next hop. based on the crypto acl, pix will then try to encrypt and send the packet to the remote site via the outside interface. since the packet originated from the outside interface, pix wouldn't re-reoute the packet back to the outside interface.
this golden rule has been removed with pix v7.0, however, pix 501 doesn't support v7.0.
an alternative is to configure a terminal server at the main site. so vpn client establishes a terminal session to the server after the remote vpn connection, then access the remote sites via the terminal server.
10-25-2005 04:19 AM
It looks more like this;
RemoteVPNClient <-> MainOfficePix <-> internet <-> RemoteIOSRouter/Firewall
I'm having trouble establishing/communicating VPN THROUGH the MainOfficePix...
10-25-2005 01:43 PM
I have a similar issue and I created a topic in the forum as well. No answers yet. The only difference is that my VPN client is behind a router with IPSEC/IOS. When I try to initiate the VPN session from my LAN through the IOS/IPSEC router to the remote PIX, I observe in the router's loggs that the router is trying to handle the IPSEC traffic on its external interface as it was destined for itself! I believe it has to do with the NAT configured on my router's external interface (or the PIX in your case). Because of the NAT, the PIX sees the router's external IP at the initiation of the VPN session and naturally it sends the replies to the router. As the router is configured to accept VPN connections as well, is trying to handle the IPSEC traffic as it belonged to it. This may be a totally messed up thought but from all I know it seems a logical explanation.
I read somewhere about using the NAT traversal command ("isakmp nat-traversal" I believe for PIX) but if I recall right nothing changed when I applied the command to my router. Check this command out, it may work out for you.
10-25-2005 03:07 PM
jason,
"RemoteVPNClient <-> MainOfficePix <-> internet <-> RemoteIOSRouter/Firewall"
the main site pix has a lan-lan vpn to a remote site, at the same time, the main site pix also is a vpn termination point for the remote vpn client. at this moment, the main site net is able to communicate to the remote site net; also remote vpn client is able to establish a vpn to the main office pix, and access the main office net but not the remote site.
now, you would like to allow remote vpn client (after the vpn established between vpn client and the main site pix) to be able to access the remote site via the vpn between remote vpn client and main site pix.
unfortunately, it's not feasible with pix501.
10-26-2005 04:20 AM
No, that is not correct. My remote vpn client is a user sitting at a desk on a corp. network which is using a pix as the internet firewall. There are vpn tunnels to other sites which work fine. The remote vpn client needs to connect to an IOS Firewall (which terminates only remote vpn connections, not tunnels) and be able to communicate to the hosts on the inside of the IOS Firewall. Thanks
jason
10-26-2005 03:08 PM
please excuse me for misunderstanding.
finally i believe i've got what the issue is. on the pix501 (i.e. the one at the main office), permitting inbound esp traffic maybe required.
e.g.
access-list inbound permit esp any any
access-group inbound in interface outside
assuming an inbound acl has already been created, you can simply add this entry to the existing inbound acl.
10-27-2005 04:20 AM
well, i had esp permitted inbound on both the local and remote firewall. What i ended up doing to make this work is putting an line in the outside acl of the remote ios firewall/router which permits all ip from the PUBLIC IP of the local pix firewall, after that, bingo, connect and communicate.
Thanks for all your help.
j
10-27-2005 03:02 PM
on the remote router, rather than permitting ip, try:
udp500
udp4500
esp
i guess when it comes to security, the more restriction we apply the better.
10-31-2005 05:56 PM
I have similar problem , like this
vpn client 4.6.|-->pix-->router ---> internet cloud-- inside users |
----> router --> vpn conctr-->lan at head office.
Users at inside region are using VPN client 4.6. (my office ) when trying to connect head office they get an error:
"remote host not replying reason 412".
I have tried commands isakmp nat-traversal on PIX ,
(jack ko has suggested this )
I have recored the logs of PFSS , it shows outbound connection established on UDP port 500 to remote ip address , but it is unable to form connection on udp port 4500. ( which is i think is must ).
So do i need to open up udp port 4500 on the vpn concentrator at head office. so PIX at my location will establish a connectivity to VPN concentrator at head office. or do i need to give isakmp nat-traversal command or similar command at head office concentrator.
Is opening up udp port (4500 at head office )a big threat ? If yes any other way to workaround.
Thanks
Subodh
11-01-2005 03:23 AM
nat-traversal maybe required on the concentrator.
to configure, go configuration > tunneling and security > ipsec > nat transparency, and select the option "ipsec over nat-t".
at the same time, create an inbound acl on the pix permitting the followings:
udp 500
udp 4500
ip 50
11-01-2005 06:39 AM
Thanx !! Mr. Jack ko. I will try it out on concentrator.
Any link from Cisco website , which can tell me how exactly VPN client uses these UDP ports ( 4500 and 500 ),
Secondly is there any facility to test that " that particular device ( in our case Concentrator ) is not allowing udp port 4500 to form a connectivity ?
Please inform if u have any idea.
Thanx once again ..
Subodh
11-02-2005 06:12 PM
read the question "Q. If I place my VPN 3000 Concentrator behind a firewall or router running access control lists, which ports and protocols do I need to allow through?"
one point should be noticed is that ipsec nat traversal also use udp 4500.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide