10-28-2004 11:05 AM - edited 02-21-2020 01:25 PM
Hello, have a 501 with a site to site vpn to a 515, also need to have a host with the VPN Client behind the 501 connect out....
10-28-2004 11:15 AM
What will the VPN client be connecting to? Is it the Cisco VPN client? What version of PIX OS is running on the 501?
If you are using the Cisco VPN client to connect to a remote PIX firewall, you need to have address translation occurring on the PIX 501. In addition the remote PIX fireall would need to have the command "isakmp nat-traversal" enabled. I beleive this command requires the 6.3 version of PIX OS.
If you are using the Cisco VPN client to connect to a VPN 3000 series VPN concentrator, as long as the concentrator is setup to allow NAT transparency, you should be OK.
If you are using a PPTP based VPN client, make sure that the PIX 501 has "fixup pptp" enabled. This command also was introduced in the 6.3 version of PIX OS.
10-28-2004 12:20 PM
Hi;
Connecting to a 515E ( note the connection works from infront of the PIX) the client is the Cisco VPN client Ver. 4.0.3 501 is 6.3(3) no concentrator..no PPTP... have done the following
access-list in permit esp any host myFWIP
static (inside,outside) udp interface isakmp [internal host ip] isakmp netmask 255.255.255.255 0 0
This has allowed the connection and key exchange but no data through the tunnel.....
10-28-2004 12:44 PM
It should be just a matter of adding the "isakmp nat-traversal" command to the 515E. This enables the PIX to allow VPN connections that are coming from translated IP addresses. The catch here is that you have to be coming from a translated address in order for the 515 to know it must use UDP to encapsulate the traffic.
The VPN client also needs to be setup to "Enable Transparent Tunneling". This is done on the Transport tab when you edit the VPN session. You want to make sure that IPSec over UDP (NAT/PAT) is the method selected for this as the PIX does not support IPSec over TCP. (I forgot about this little component in my first post.)
I use this same setup to connect to a PIX 501 running as my VPN termination point with the VPN connection passing through a PIX535. The only thing that I have to do is make sure my IP address on the client is being NAT'ed by the PIX535.
10-28-2004 01:24 PM
Ok, so just for my own edification....(yes I'm new to Cisco)
The Client is behind a 501 and will be connecting to a 515E. The 501 also has a site to site VPN to a different 515E.
So with the changes I made to the 501, the access-list and the static route, all I need to ensure is the VPN Client settings (I'll check again but am sure they are as you suggested). The rest will have to happen on the VPN Terminating PIX?
|vpnClient| --> |501| --> Internet -->|515E| {needs isakmp nat-traversal}
|-v-
Client Subnet |VPN==>> Internet ==>>|515E|
Thank you for your great help so far... it is appreciated
10-28-2004 01:35 PM
You are correct. The VPN Terminating PIX has the responsibility to detect that address translation is in use by the client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide