Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
0
Helpful
4
Replies

VPN to outside

csanchez
Level 1
Level 1

‎04-19-2005 12:47 PM - edited ‎02-21-2020 01:43 PM

How can I configure the PIX 515 to allow VPN connections from the inside to the outside using Cisco VPN clients. All inside traffic to outside gets NATed.

Thanks in advance.

Labels:
0 Helpful
4 Replies 4

fedrodri
Level 1
Level 1

‎04-19-2005 01:05 PM

Hi,

Is the client computer being NATed or PATed to the outside? If it is being PATed, to allow outbound IPSec traffic, enter the following command (PIX OS version 6.3.x or higher only):

fixup protocol esp-ike

This adds support for ESP through PAT. Here is more information how this works:

-- Configuring Application Inspection (Fixup):

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.htm#wp1094669

Note that this Application Inspection cannot be turned on if you have VPN tunnels ending into the outside interface of your PIX. If that's the case, the only solution would be to configure one-to-one static NAT for every client trying to go out through the PIX (follow the guidelines on the link below). Also note that if ESP fixup is turned on, only one client through a PAT address at a time!

-- Configuring an IPSec Tunnel Through a Firewall With NAT:

http://www.cisco.com/warp/public/707/ipsecnat.html

Hope that helps!

Federico Rodriguez

0 Helpful

csanchez
Level 1
Level 1
In response to fedrodri

‎04-19-2005 01:52 PM

I have PIX Firewall Version 6.3(4).

The inside client computer is being NATed, at least that is what is configured on the PIX.

I added the following line and it allowed me to successfully connect via VPN to the outside server:

"access-list 65 permit udp any host a.b.c.d. eq 500"

The PIX changed port 500 to isakmp. I selected port 500 because the logs indicated that the client was attempting to connect using port 500.

This allowed me to connect, is this the correct setup? I did not have to configure esp-ike in order to connect. How do I know if the traffic is secured?

Thanks in advance again.

0 Helpful

sachinraja
Level 9
Level 9
In response to csanchez

‎04-20-2005 01:30 AM

hi sanchez

ya.. UDP 500 is used for ISAKMP.. ISAKMP is the basic connectivity protocol for IPSEC..

In case you are going through a NAT or PAT, you need to enable NAT translation at the remote end.. "isakmp nat-traversal 20" is the command to be put on the remote PIX..

you need to open UDP 4500 in that case.. just add this on ACL 65

access-list 65 permit udp any host ab.c.d eq 4500

once your IPSEC is connected, all the traffic sent through it is secured.. you need not worry after that..

0 Helpful

csanchez
Level 1
Level 1
In response to sachinraja

‎04-20-2005 08:25 AM

awesome! thanks to everyone for the help.

0 Helpful
Customers Also Viewed These Support Documents