Hi Frank

Thanks for the same ya i am able to ping now i have given icmp any any as u said and it is connecting to concentrator of other end. And if i give icmp any any i am allowing ping request to all will effect any way

Thanks again

Nagalakshmi

Good to know that now is working!!!

Don’t worry about the ping, if you want you can block it.. There is no need for ICMP to be allowed unless you are using PMTUD, (only on routers).

The trick was the "fixup protocol" which means that on the concentrator side there is no IPSec over TCP/UDP.

Let me tell you that if any other PC tries to VPN to the concentrator, at the same time as your laptop, it will disconnect the first PC. If you want a permanent solution to your problem make sure you configure the concentrator with IPSec over TCP or IPSec over UDP, so you can enable NAT transparency.

The fixup protocol what does is a simple workaround for IPSec through PAT. Remember that PAT breaks IPSec so what the PIX is doing is an encapsulation of ESP packets, for more details please take a look at the link below:

http://cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278b.html

Hope this helps,

Frank

Hello,

It's PAT,allowed ICMP.

Yes.I can ping from laptop now.Now i would like to know for vpn outbound connection through dialup, which port should be enabled on pix?Is their any neccessary of fixup ? As i only want to go out of my firwall to connect to partners vpn through ip.

If i am tring to dialup,giving error 721,compture did not respond......

Thanks /Nagalakshmi

Hi,

Now you lost me, what do you mean with Dial-Up? Do you mean VPN through a PSTN phone line?

I thought it was working through the PIX... By just adding the fixup protocol on the PIX, any connection through the firewall to a VPN endpoint will work and will "workaround" the PAT problem you have. You can only have one PC doing VPN as explained before.

Please give me more details 'cause I got confused, sorry.

Frank

I am Sorry.I mean vpn connection created on laptop.It's going through the pix only.

As i stated earlier i am not able to login to vpn.

What kind of fixup protocol need to open.I tryed "esp-isk" but not getting proper syntex. I am using PIX515 - v6.2.

Even applied acc-list permit for port tcp-1723 and udp-500-isakmp and GRE too.Not sure whether it's required or not.

Regards /Nagalakshmi

Ok, let me see...

At this moment I am not sure if you are using PPTP or CISCO VPN CLIENT so we will try both. Make sure you do at least one of the suggestions below:

1) Upgrade to 6.3.4 and issue to following commands:

fixup protocol esp-ike

fixup protocol pptp 1723

2) If you cannot upgrade, then you will need a public IP for your laptop and you will need a static translation for it. If you have one public "free" IP address do this:

static (inside,outside)

access-list VPN permit udp any host eq 500

access-list VPN permit udp any eq 500 host

access-list VPN permit esp any host

access-list VPN permit udp any host

access-group VPN in interface outside

That should do the trick. My suggestion is to go for the upgrade, then everything should work if not, please send the configuration. Thanks

Frank

HI

Sorry for delay in response. And Thanks a lot for suggestion which you had given we upgraded the FOS to 6.3 version. The VPN connection is working fine now.......added the Fixup protocol pptp 1723 and access list with GRE

Thanks again

Regards

Nagalakshmi

You are more than welcome!

Chico

HI

Sorry for delay in response. And Thanks a lot for suggestion which you had given we upgraded the FOS to 6.3 version. The VPN connection is working fine now.......added the Fixup protocol pptp 1723 and access list with GRE

Thanks again