08-25-2008 03:12 PM
I just upgraded from a Pix 506e v6.3(5) to a PIX 515e with v8.0(3)in my home office. Unfortunately, I'm no longer able to use the Cisco VPN client to ping or RDP to remote locations. On my previous 506e, I was able to connect from my house going through the 506e and terminated a VPN session on the customer PIX or ASA devices. From there, I was able to ping or RDP to servers and workstations. On my previous 506e, I enabled esp-ike under the fixup protocols and used an ACL for esp, isakmp, and ipsec. Now that I have a 515e with 8.0(3), the esp-ike is no longer a supported command, therefore I added NAT-T, verified the VPN client transport tab was set to use IPSEC over UDP. I've tried everything I could read through on the support forums and still no luck. What am I missing? or is this impossible to go through a local PIX to a remote PIX using a VPN client? I do not want to use the Easy VPN options as I provide remote server support for over a dozen business customers. Any help would be greatly appreciated.
08-25-2008 05:13 PM
add this to your global polciy for IPsec pass through for ( Cisco VPN Client ) to be able to vpn outbound from behing the PIX/ASA applience.
IPsec-Cisco-VPN-CLIENT pass through
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect ipsec-pass-thru
ciscoasa(config-pmap-c)#exit
save config and try to vpn, let us know how it works out.
some additional info for ipsec pass through inspection.
http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/gl.html#wp1670077
Rgds
Jorge
08-25-2008 05:50 PM
Jorge,
Thanks for the info. I will try this out tonight and see if that fixes my issue.
Ian
08-26-2008 02:51 PM
Ian, are you all set with issue or do you still have problems.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide