cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
452
Views
0
Helpful
2
Replies

PIX 506 VPn behind a Router

mtaeschler
Level 1
Level 1

Hi all out there

I have the following problem:

I want to establish a VPN-connection from an client to a PIX 506. But the PIX 506 is behind a 1605-Router which makes a bit firewalling. Between the Router and the PIX is a DMZ.

If I connect the Client to the DMZ a try the VPN, everything works. If I do this from the web it doesn't. It's clearly, the Router blocks. What is to open on the router, so that VPN-Connections from the Web can be established direct to the PIX? I just tried UDP 500 but it still doesn't work... :(

Thx in advance

Michael

2 Replies 2

vijkrish
Cisco Employee
Cisco Employee

Open AH and ESP protocols in addition to UDP 500 and let us know how it goes. Opening just UDP 500 is not enough.

Vijay

Hi Vijay

The config of the 1605-Router no looks like this:

Using 1572 out of 7506 bytes

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname router1605_01

!

enable secret 5 $1$mh7c$sBpzneBsJPcLjgcQPcocX0

enable password pass

!

!

!

!

!

ip subnet-zero

!

!

!

!

interface Ethernet0

ip address 194.xx.xx.71 255.255.0.0

ip nat outside

!

interface Ethernet1

ip address 192.168.2.1 255.255.255.0

ip nat inside

!

ip nat inside source static udp 192.168.2.10 500 194.xx.xx.71 500 extendable

ip nat inside source static 192.168.2.21 194.xx.xx.73

ip nat inside source static 192.168.2.20 194.xx.xx.74

ip nat inside source static 192.168.2.10 194.xx.xx.72

ip nat inside source static tcp 192.168.2.10 3389 194.xx.xx.71 16079 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 194.208.60.253

no ip http server

!

access-list 101 permit tcp host 212.77.48.11 host 194.xx.xx.71 eq telnet

access-list 101 permit icmp host 212.77.48.11 host 194.xx.xx.71

access-list 101 permit tcp any host 194.xx.xx.73 eq www

access-list 101 permit tcp host 212.77.48.11 host 194.xx.xx.73 eq ftp

access-list 101 permit tcp any host 194.xx.xx.74 eq smtp

access-list 101 permit tcp host 194.xx.xx.72 any established

access-list 101 permit tcp any host 194.xx.xx.71 eq 16079

access-list 101 permit udp any host 194.xx.xx.71 eq isakmp

access-list 101 permit ahp any host 194.xx.xx.71

access-list 101 permit esp any host 194.xx.xx.71

access-list 101 deny ip any any log

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

!

line con 0

transport input none

line vty 0 4

password pass

login

!

end

Is still anything missing???

Best regards michael