cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
486
Views
0
Helpful
5
Replies

How to allow cisco vpn 3.5 client on windows through Pix 506e

rameshpillai
Level 1
Level 1

I have a user using Cisco VPN client version 3.5 on winnt 4.0, which is behind Cisco pix 506e and firewall outside is connected to Internet.

I found that in the logging it shows deny protocol 50...

what are the basic things i need to do, for the vpn client to work

regds

Ramesh

5 Replies 5

gfullage
Cisco Employee
Cisco Employee

The problem here is you're doing PAT and IPSec is not a TCP/UDP type packet which can be PAT'd easily. The PIX doesn't currently support IPSec thru PAT specifically. You can remedy this a few ways.

Probably the easiest is to enable the IPSec over UDP feature in the VPN client. You do this in the concentrator config under the group the user is connecting to. Under the Client Config tab check the IPSec over UDP box. Now when the client connects all the IPSec packets will be encapsulated into UDP port 10000 (default) packets, which the PIX will then be able to PAT successfully.

In the 3.6 client you can also do IPSec over TCP, which encapsulates ALL the IPSec and ISAKMP packets into a TCP stream, which again the PIX can then PAT successfully.

Or, on the PIX itself you can define a static translation for this inside host rather than let it use the nat/global config, so that the traffic will be NAT'd instead of PAT'd and that should work also. You'll need an access-list to allow the IPSedc packets back into the PIX cause it won't open a hole for those like it does with TCP/UDP packets.

Hello,

you say that the easiest way to solve this problem is to enable the IPSec over UDP. Once the option is checked in the VPN client configuration, is there any parameter to add in the PIX configuration ?

Thanks

Bonjour,

allowing incoming traffic, for the udp port you have chosen to use, on the pix. And make sure that the recieving ip sec side is configured to use ipsec over udp.

jeff.roback
Level 1
Level 1

You need to allow inbound ESP traffic. If your outside interface has the access list named outside_list, add the following:

access-list outside_list permit esp host x.x.x.x any

(where x.x.x.x is the IP address of the remote VPN server).

Hi

thank a lot, your inbout esp thing work @ the first shot...

thanks to all for help me out

ramesh