Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
5
Replies

VPN Client behind 501

pebertels
Level 1
Level 1

‎10-28-2004 11:05 AM - edited ‎02-21-2020 01:25 PM

Hello, have a 501 with a site to site vpn to a 515, also need to have a host with the VPN Client behind the 501 connect out....

Labels:
0 Helpful
5 Replies 5

sstudsdahl
Level 4
Level 4

‎10-28-2004 11:15 AM

What will the VPN client be connecting to? Is it the Cisco VPN client? What version of PIX OS is running on the 501?

If you are using the Cisco VPN client to connect to a remote PIX firewall, you need to have address translation occurring on the PIX 501. In addition the remote PIX fireall would need to have the command "isakmp nat-traversal" enabled. I beleive this command requires the 6.3 version of PIX OS.

If you are using the Cisco VPN client to connect to a VPN 3000 series VPN concentrator, as long as the concentrator is setup to allow NAT transparency, you should be OK.

If you are using a PPTP based VPN client, make sure that the PIX 501 has "fixup pptp" enabled. This command also was introduced in the 6.3 version of PIX OS.

0 Helpful

pebertels
Level 1
Level 1
In response to sstudsdahl

‎10-28-2004 12:20 PM

Hi;

Connecting to a 515E ( note the connection works from infront of the PIX) the client is the Cisco VPN client Ver. 4.0.3 501 is 6.3(3) no concentrator..no PPTP... have done the following

access-list in permit esp any host myFWIP

static (inside,outside) udp interface isakmp [internal host ip] isakmp netmask 255.255.255.255 0 0

This has allowed the connection and key exchange but no data through the tunnel.....

0 Helpful

sstudsdahl
Level 4
Level 4
In response to pebertels

‎10-28-2004 12:44 PM

It should be just a matter of adding the "isakmp nat-traversal" command to the 515E. This enables the PIX to allow VPN connections that are coming from translated IP addresses. The catch here is that you have to be coming from a translated address in order for the 515 to know it must use UDP to encapsulate the traffic.

The VPN client also needs to be setup to "Enable Transparent Tunneling". This is done on the Transport tab when you edit the VPN session. You want to make sure that IPSec over UDP (NAT/PAT) is the method selected for this as the PIX does not support IPSec over TCP. (I forgot about this little component in my first post.)

I use this same setup to connect to a PIX 501 running as my VPN termination point with the VPN connection passing through a PIX535. The only thing that I have to do is make sure my IP address on the client is being NAT'ed by the PIX535.

0 Helpful

pebertels
Level 1
Level 1
In response to sstudsdahl

‎10-28-2004 01:24 PM

Ok, so just for my own edification....(yes I'm new to Cisco)

The Client is behind a 501 and will be connecting to a 515E. The 501 also has a site to site VPN to a different 515E.

So with the changes I made to the 501, the access-list and the static route, all I need to ensure is the VPN Client settings (I'll check again but am sure they are as you suggested). The rest will have to happen on the VPN Terminating PIX?

|vpnClient| --> |501| --> Internet -->|515E| {needs isakmp nat-traversal}

|-v-

Client Subnet |VPN==>> Internet ==>>|515E|

Thank you for your great help so far... it is appreciated

0 Helpful

sstudsdahl
Level 4
Level 4
In response to pebertels

‎10-28-2004 01:35 PM

You are correct. The VPN Terminating PIX has the responsibility to detect that address translation is in use by the client.

0 Helpful
Customers Also Viewed These Support Documents