06-07-2002 06:57 AM - edited 02-21-2020 11:47 AM
Hi all out there
I have the following problem:
I want to establish a VPN-connection from an client to a PIX 506. But the PIX 506 is behind a 1605-Router which makes a bit firewalling. Between the Router and the PIX is a DMZ.
If I connect the Client to the DMZ a try the VPN, everything works. If I do this from the web it doesn't. It's clearly, the Router blocks. What is to open on the router, so that VPN-Connections from the Web can be established direct to the PIX? I just tried UDP 500 but it still doesn't work... :(
Thx in advance
Michael
06-10-2002 01:16 AM
Open AH and ESP protocols in addition to UDP 500 and let us know how it goes. Opening just UDP 500 is not enough.
Vijay
06-10-2002 05:55 AM
Hi Vijay
The config of the 1605-Router no looks like this:
Using 1572 out of 7506 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router1605_01
!
enable secret 5 $1$mh7c$sBpzneBsJPcLjgcQPcocX0
enable password pass
!
!
!
!
!
ip subnet-zero
!
!
!
!
interface Ethernet0
ip address 194.xx.xx.71 255.255.0.0
ip nat outside
!
interface Ethernet1
ip address 192.168.2.1 255.255.255.0
ip nat inside
!
ip nat inside source static udp 192.168.2.10 500 194.xx.xx.71 500 extendable
ip nat inside source static 192.168.2.21 194.xx.xx.73
ip nat inside source static 192.168.2.20 194.xx.xx.74
ip nat inside source static 192.168.2.10 194.xx.xx.72
ip nat inside source static tcp 192.168.2.10 3389 194.xx.xx.71 16079 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 194.208.60.253
no ip http server
!
access-list 101 permit tcp host 212.77.48.11 host 194.xx.xx.71 eq telnet
access-list 101 permit icmp host 212.77.48.11 host 194.xx.xx.71
access-list 101 permit tcp any host 194.xx.xx.73 eq www
access-list 101 permit tcp host 212.77.48.11 host 194.xx.xx.73 eq ftp
access-list 101 permit tcp any host 194.xx.xx.74 eq smtp
access-list 101 permit tcp host 194.xx.xx.72 any established
access-list 101 permit tcp any host 194.xx.xx.71 eq 16079
access-list 101 permit udp any host 194.xx.xx.71 eq isakmp
access-list 101 permit ahp any host 194.xx.xx.71
access-list 101 permit esp any host 194.xx.xx.71
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
transport input none
line vty 0 4
password pass
login
!
end
Is still anything missing???
Best regards michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide