Re: [fw-wiz] PIX VPN Question

From: Dave Rinker (firewall_at_dsrtech.com)
Date: 06/06/03

  • Next message: Tony Miedaner: "Re: [fw-wiz] Where do firewall Admins Sit in An Company"
    To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
    Date: 06 Jun 2003 00:41:34 -0400
    

    Wesley,

    I believe what your looking for is :

    isakmp nat-traversal [natkeepalive]

    This is new to 6.3 code an permits you to connect to a PIX just as you
    would with a VPN concentrator with UDP/ESP.

    Hope this helps you in the right direction,
    Dave

    http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#1027312

    On Thu, 2003-06-05 at 00:33, Noonan, Wesley wrote:
    > All,
    >
    > Having an issue with a VPN configuration for a PIX and I am missing
    > something that I can't figure out. Here is the scenario:
    >
    > VPNCLIENT-----PIX501----INET-----PIX506
    >
    > VPN Client is running Cisco VPN Client 4.0.1. PIX 506 is running 6.2(2). PIX
    > 501 is running 6.2(2).
    >
    > I have configured the PIX 506 to support clients connecting. If I connect
    > without the PIX501 in between the VPNCLIENT and the PIX506, it works
    > perfect. I connect, authenticate, can browse remote resources, can browse
    > the internet, everything. As soon as I put the VPNCLIENT behind the PIX501
    > it stops being able to connect.
    >
    > I have tried using it with "Enable Transport Tunneling" selected and using
    > both "IPSec over UDP/NAT" and "IPSec over TCP" with port 10000 in use. When
    > I set the UDP/Nat setting, I don't even see connection attempts being
    > translated in the PIX501. If I set it to TCP I can see the translations
    > created in the PIX501 but I don't see anything on the PIX506. Is there
    > something I need to run on the PIX506 to configure it to expect TCP VPN
    > connections inbound on port 10000? The PIX501 is running PAT on a single
    > external IP address.
    >
    > I have checked Cisco's website and can't find anything that details
    > configuring a VPN through a PIX using a VPNCLIENT. I feel like I am missing
    > something (obviously) but I can't seem to put my finger on what it is. Any
    > help is appreciated. Thanks.
    >
    > Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
    > Senior QA Rep.
    > BMC Software, Inc.
    > (713) 918-2412
    > wnoonan@bmc.com
    > http://www.bmc.com <http://www.bmc.com/>
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Tony Miedaner: "Re: [fw-wiz] Where do firewall Admins Sit in An Company"

    Relevant Pages

    • [fw-wiz] PIX VPN Question
      ... Having an issue with a VPN configuration for a PIX and I am missing ... I have configured the PIX 506 to support clients connecting. ... something I need to run on the PIX506 to configure it to expect TCP VPN ...
      (Firewall-Wizards)
    • Re: PIX to PIX VPN problem
      ... I am trying to establish a VPN tunnel between 2 PIX 506E's. ... Crypto map tag: CRYPTO_MAP, local addr. ... fixup protocol dns maximum-length 700 ...
      (comp.dcom.sys.cisco)
    • vpn 3000 pix L2L Trouble
      ... I got a concentrator 3020 to pix lan ... to lan vpn going I have configured quite a few of these in my day ... configuration. ... Anyways when the 3020 is on 10.1.1.X network and the ...
      (comp.dcom.sys.cisco)
    • Re: VPN Assistance
      ... This will expose port 1723 on th Pix to only these ... Glad it's working - now try to convince the client that using the Cisco ... client is more secure than using PPTP. ... IPSec VPN ...
      (microsoft.public.windows.server.sbs)
    • Re: ISA and PIX 506
      ... > use the Cisco VPN to VPN into the remote sites. ... but its more likely to be an ISA configuration problem than the PIX. ...
      (microsoft.public.isa.configuration)