cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
436
Views
15
Helpful
5
Replies

IPSec VPN Access from behind a PIX 501

doliver
Level 1
Level 1

I have a vendor who is working out of one of our offices which is behind a PIX 501. He needs to be able to VPN via an IPSec client to his office out through the PIX. Can someone please tell me what the easiest way to accomplish this is? An help is appreciated.

Dean

5 Replies 5

pcomeaux
Cisco Employee
Cisco Employee

I have successfully VPN'd to Cisco's Network behind the Pix 501 at my house.

I used the Cisco VPN client and can VPN with Transparent Tunneling enabled on the VPN Client (either IPSec over UDP or IPSec over TCP).

Does this sound like the Transports his IPSec VPN client is using?

thanks

peter

Peter,

Thanks for the response. He is using a Watchguard VPN client that (from what I can see) does not have any settings for transparent tunneling. I was able to get him to PPTP out, but his company's policies prevent that. I guess it's back to the old drawing board.

Dean

Most likely (your mileage may vary), the problem is that you are trying to pass an IPSec connection through a PIX using PAT (many to one translation). The problem is that IPSec uses ESP which is not a TCP or UDP based protocol. As a result, there is no layer 4 information (port number) for the PIX to modify when PAT'ed. The PIX chokes on this and kills the connection. Some IPSec vendors get around this issue by implementing NAT traversal (or more appropriately, PAT traversal) which basically encapsulates the ESP packets in a "fake" TCP or UDP wrapper. This allows the PAT devices to modify Layer 4 information and pass the traffic. The termination device for the IPSec tunnel, simply removes this wrapper and is left with the native IPSec packet.

Now, the good news is that we added a feature in the 6.3 release of PIX code called "PAT for ESP". The 6.3 code has a new command - 'fixup protocol esp-ike' which will allow 1 (and only 1) IPSec connection through a PIX configured with PAT. This command is not enabled by default so will need to upgrade your PIX code (if not on 6.3(X) - 6.3(4) is recommended) and enable the command. Here is a link to the command reference relating to this command - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379

If this doesn't apply to you, let us know as I took a highly likely stab at the cause.

Scott

Hi Scott,

You were right on the money. We had tried using the fixup protocol esp-ike solution, but (as Murphy's Law would have it), the remote office alreay connects via VPN to our main office (pix-to-pix), and to use the fixup protool solution, IPsec has to be disabled on all interfaces. I'm gonna call Watchguard, since it's their VPN client and have them figure it out.

Dean

minoc
Level 1
Level 1

You may get around this by configuring a static nat for the vendor. Then create a rule in the outside interface to permit esp and udp 500 to the static translation ip adddress.

Regards,

Carlos Roque

Office Of Management And Budget

Commonwealth Of Puerto Rico