Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
5
Replies

How to allow cisco vpn 3.5 client on windows through Pix 506e

rameshpillai
Level 1
Level 1

‎10-30-2002 06:34 AM - edited ‎02-21-2020 12:09 PM

I have a user using Cisco VPN client version 3.5 on winnt 4.0, which is behind Cisco pix 506e and firewall outside is connected to Internet.

I found that in the logging it shows deny protocol 50...

what are the basic things i need to do, for the vpn client to work

regds

Ramesh

Labels:
0 Helpful
5 Replies 5

gfullage
Cisco Employee
Cisco Employee

‎10-30-2002 05:08 PM

The problem here is you're doing PAT and IPSec is not a TCP/UDP type packet which can be PAT'd easily. The PIX doesn't currently support IPSec thru PAT specifically. You can remedy this a few ways.

Probably the easiest is to enable the IPSec over UDP feature in the VPN client. You do this in the concentrator config under the group the user is connecting to. Under the Client Config tab check the IPSec over UDP box. Now when the client connects all the IPSec packets will be encapsulated into UDP port 10000 (default) packets, which the PIX will then be able to PAT successfully.

In the 3.6 client you can also do IPSec over TCP, which encapsulates ALL the IPSec and ISAKMP packets into a TCP stream, which again the PIX can then PAT successfully.

Or, on the PIX itself you can define a static translation for this inside host rather than let it use the nat/global config, so that the traffic will be NAT'd instead of PAT'd and that should work also. You'll need an access-list to allow the IPSedc packets back into the PIX cause it won't open a hole for those like it does with TCP/UDP packets.

0 Helpful

mburtin
Level 1
Level 1
In response to gfullage

‎11-06-2002 02:25 AM

Hello,

you say that the easiest way to solve this problem is to enable the IPSec over UDP. Once the option is checked in the VPN client configuration, is there any parameter to add in the PIX configuration ?

Thanks

0 Helpful

frank.hellemink
Level 1
Level 1
In response to mburtin

‎11-06-2002 03:01 AM

Bonjour,

allowing incoming traffic, for the udp port you have chosen to use, on the pix. And make sure that the recieving ip sec side is configured to use ipsec over udp.

0 Helpful

jeff.roback
Level 1
Level 1

‎11-04-2002 06:43 PM

You need to allow inbound ESP traffic. If your outside interface has the access list named outside_list, add the following:

access-list outside_list permit esp host x.x.x.x any

(where x.x.x.x is the IP address of the remote VPN server).

0 Helpful

rameshpillai
Level 1
Level 1
In response to jeff.roback

‎11-06-2002 08:28 AM

Hi

thank a lot, your inbout esp thing work @ the first shot...

thanks to all for help me out

ramesh

0 Helpful
Customers Also Viewed These Support Documents