04-19-2005 12:47 PM - edited 02-21-2020 01:43 PM
How can I configure the PIX 515 to allow VPN connections from the inside to the outside using Cisco VPN clients. All inside traffic to outside gets NATed.
Thanks in advance.
04-19-2005 01:05 PM
Hi,
Is the client computer being NATed or PATed to the outside? If it is being PATed, to allow outbound IPSec traffic, enter the following command (PIX OS version 6.3.x or higher only):
fixup protocol esp-ike
This adds support for ESP through PAT. Here is more information how this works:
-- Configuring Application Inspection (Fixup):
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/fixup.htm#wp1094669
Note that this Application Inspection cannot be turned on if you have VPN tunnels ending into the outside interface of your PIX. If that's the case, the only solution would be to configure one-to-one static NAT for every client trying to go out through the PIX (follow the guidelines on the link below). Also note that if ESP fixup is turned on, only one client through a PAT address at a time!
-- Configuring an IPSec Tunnel Through a Firewall With NAT:
http://www.cisco.com/warp/public/707/ipsecnat.html
Hope that helps!
Federico Rodriguez
04-19-2005 01:52 PM
I have PIX Firewall Version 6.3(4).
The inside client computer is being NATed, at least that is what is configured on the PIX.
I added the following line and it allowed me to successfully connect via VPN to the outside server:
"access-list 65 permit udp any host a.b.c.d. eq 500"
The PIX changed port 500 to isakmp. I selected port 500 because the logs indicated that the client was attempting to connect using port 500.
This allowed me to connect, is this the correct setup? I did not have to configure esp-ike in order to connect. How do I know if the traffic is secured?
Thanks in advance again.
04-20-2005 01:30 AM
hi sanchez
ya.. UDP 500 is used for ISAKMP.. ISAKMP is the basic connectivity protocol for IPSEC..
In case you are going through a NAT or PAT, you need to enable NAT translation at the remote end.. "isakmp nat-traversal 20" is the command to be put on the remote PIX..
you need to open UDP 4500 in that case.. just add this on ACL 65
access-list 65 permit udp any host ab.c.d eq 4500
once your IPSEC is connected, all the traffic sent through it is secured.. you need not worry after that..
04-20-2005 08:25 AM
awesome! thanks to everyone for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide