Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
3
Replies

Configuring VPN pass through in PIX 501

kaioyang
Level 1
Level 1

‎06-21-2003 04:51 PM - edited ‎02-21-2020 12:37 PM

Need to configure the following:

PC with VPN client 3.5.2 --- PIX 501 (v 6.2) --- Internet --- VPN Concentrator 3000 - Company network

External interface of PIX has only 1 PPPoE address assigned by ISP.

Problem is that after tunnel is up, there is no traffic inbound from the company network.

This config works if I substitute the PIX with a Dlink 804V router. The difference is a line in the VPN client log:

22 10:10:45.820 06/22/03 Sev=Info/4 IPSEC/0x63700019

Activate outbound key with SPI=0xf7b90d23 for inbound key with SPI=0x51bb9760

The above line is missing in the PIX case.

I've setup NAT for the PIX and sysopt connection permit-ipsec

What could be the problem?

Is there any article showing how to setup pass through VPN access through a PIX 501?

Labels:
0 Helpful
3 Replies 3

mostiguy
Level 6
Level 6

‎06-22-2003 08:15 AM

Do you control the vpn 3000? I would enable the encapsulation through UDP feature - it works great behind all kinds of NAT devices that may or may not have some IPSec awareness that can get in the way. It is enabled by default on the cisco client software. I got similar behaviour to you when I disabled the use of this feature on my client when connecting with it from behind my 501 to my 3000 at work - an inbound tunnel works, but outbund does not. I don't think fixup protocol esp-ike works on pixen doing PAT, so that probably isn't an option.

0 Helpful

kaioyang
Level 1
Level 1
In response to mostiguy

‎06-22-2003 12:29 PM

Thanks.

I don't control the VPN3k. However, I was told that transparent tunneling is enabled on UDP( and that's what it was at the client options). I am able to get the VPN tunnel to talk properly using the following PIX configuration, but only the designated can access Internet and VPN now, the other machines in the LAN can't do anything until I remove the static statement.

I read that in PIX 6.2 there is a limitation of 1 traversal VPN through the PIX but that's all I need. So, what can I do to allow the other PCs access Internet while I VPN back to work?

Thanks

Kai

PIX configuration:

access-list to_outside permit ip 192.168.1.0 255.255.255.0 any

access-list to_outside permit icmp 192.168.1.0 255.255.255.0 any

access-list from_work permit ip host 192.168.1.0 255.255.255.0

access-list from_work permit icmp any any time-exceeded

access-list from_work permit icmp any any echo-reply

mtu outside 1400

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.1.254 255.255.255.0

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) interface 255.255.255.255 0 0

access-group from_work in interface outside

access-group to_outside in interface inside

0 Helpful

engel
Level 2
Level 2
In response to kaioyang

‎06-22-2003 08:05 PM

Hi,

You don`t need to define the static NAT. The global (outside) and nat (inside) combination will take care the IP address translation of the VPN client traffic (which are UDP port 500 and UDP port 10000 in case of IPSec over UDP encapsulation).

By the way, what version of the client do you use ?

Regards,

Engel

0 Helpful
Customers Also Viewed These Support Documents