VPN access to another network

acninet · ‎08-16-2004

Hi there!

I wonder if its possible to create a temporary tunnel to another network that has both pix firewall?

company A would like to connect to company B but not the other way around, connection will be made when needed only.

I have tried to use vpn client, but unable to pass traffic. when I connect directly (no pix), everything is ok.

I dont want to create a permanent connection (pix-to-pix) as these are two different companies.

Any suggestions would really be appreciated.

Thanks.

cym

vimal1980 · ‎08-16-2004

Hi!

your VPN client machine should have valid ip. then proper configuration should be there in the PIX. defiently you create the temporary tunnel between two companies. Try to Use IPSEC.

HTH.

Rgds

Vimal

acninet · ‎08-17-2004

I do have valid IPs. I am able to create tunnel but unable to pass traffic when my vpn client is inside the pix firewall.

I might be missing a port to open in order for them to communicate. with pix, vpn client, it works ok.

shaun.oliver · ‎08-17-2004

If the VPN client can connect to the remote PIX, but no traffic is received by the client (check VPN statistics), it's likely to be a problem with NAT traversal.

On the remote PIX, add "isakmp nat-traversal 30" to the config.

acninet · ‎08-18-2004

Thanks Oliver,it worked, I am now able to ping from both sides, I will just refine the authentication on servers so that I can access the application from the other end.

thanks again.

cym

r.fang · ‎08-17-2004

You might want to consider to use Cisco EzVPN with Xauth features to accompolish business needs.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/pixclnt.htm#wp1032561

acninet · ‎08-17-2004

thanks for your reply, but is there an easier sample config that I can follow, like what parameters will need to configure on client and server side?

Pix A has already vpngroup configured for its remote access. now if Pix A would like to connect to Pix B, do I need to configure vpnclient vpngroup a new? Pls. correct if Im wrong, thats what I understood based from the link. what else need to be done on the server side?

Tried to enter vpnclient config but Im getting a Config Clash with my other vpn setup..

PIX(config)# vpnclient vpngroup abc password 123

PIX(config)# vpnclient server x.x.x.x

PIX(config)# vpnclient mode client-mode

PIX(config)# vpnclient enable

* Remove "nat (inside) 0 nonat"

* Detach crypto map attached to interface outside

* Remove manually configured ISA policies

CONFIG CLASH: Configuration that would prevent successful PIX Easy VPN Remote

operation has been detected, and is listed above. Please resolve the

above configuration clashes and re-enable.

trevor.stanley · ‎08-18-2004

The easiest way is to use the VPN client on a Pc at Company A. To VPn through a pix from the LAN. The Pc will require a Static Public address on the pix at company A. Then allow ESP back to this public address e.g

access-list outside-in permit esp any host 212.121.1.1.

static (inside,outside) 212.121.1.1 192.168.1.1

We do this all the time to VPn to all of our remore customers where we have installed a PIX.

Actaully this wont work in your case as the Pc at Comapny A has an address which is the same as Company B. Somehow you need to put the PC at Company A onto a Different Network Scheme, we do this by using Vlans