RE: [fw-wiz] PIX 515 and Cisco VPN client from inside

• Previous message: Wes Noonan: "RE: [fw-wiz] PIX 515 and Cisco VPN client from inside"
• Maybe in reply to: Robert L. Wanamaker: "RE: [fw-wiz] PIX 515 and Cisco VPN client from inside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Sat, 30 Aug 2003 22:05:17 +1000

Hi,

>Im new to the list and apologize if this question being asked before. I
>read through 2003 archives and couldnt find anything similar.
>
>Our company uses a PIX 515 with 3 legs, OUTSIDE, DMZ and INSIDE We have
>users doing VPN tunnels from their homes with Cisco VPN client 4 and
>terminating the tunnels at the PIX. This works great. But we cant
>create tunnels from INSIDE and terminating at other customers
>endpoints. The tunnels are easily created if we work outside our PIX.
>The PIX 515 do PAT for all INSIDE connections using outside interface
>IP. Is there any hooks when doing VPN over PAT with Cisco clients ?
>
>
>regards
>Marko Kupiainen
>CIO Microcraft AB

The caveat is that the pix is unable to terminate ipsec and have pass
through ipsec at the same time when you are using the pix external
interface address (pat).

The remote site should be able to configure udp 4500 (if they have a
pix) or tcp 10000 (if they have a vpn concentrator, this port can also
be changed) encapsulation of the payload. On the remote pix, this is
done with:

   isakmp nat-traversal

You also need to enable "transparent tunneling" under the "transport"
for the connection definition in the vpn client, otherwise, the payload
will be sent using protocol 50 as per normal.

Note - it appears that if you have more than 1 cisco vpn client passing
through your pix that is terminating on the same endpoint, the pix
increments the udp encapsulation port

Hope this helps.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Wes Noonan: "RE: [fw-wiz] PIX 515 and Cisco VPN client from inside"
• Maybe in reply to: Robert L. Wanamaker: "RE: [fw-wiz] PIX 515 and Cisco VPN client from inside"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router ... I have configured a Cisco VPN Client to connect to a Cisco PIX ... isakmp policy 10 authentication pre-share ... (Firewall-Wizards) [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason ... Well, after researching, configuring, reconfiguring, and just a bit ... the vpn client through the SecureWay firewall. ... The PiX is outside the firewall, on its own line/lines (explained in a ... the vpn eventually) can access the internet fine. ... (Firewall-Wizards) RE: [fw-wiz] Pix 501 & 506 PixOS 7.0 compatability ... The info I got from a Cisco Security SE is that the 501 and 506 will support ... >>I am trying to configure a cisco pix as a vpn endpoint for the cisco ... >independent of anything the PIX or VPN client do. ... (Firewall-Wizards) Re: no internet when connected to pix with vpn client ... Take a look at this Configuring Cisco Secure PIX and VPN Client Doc: ... (comp.dcom.sys.cisco) VPN client asks for username and password when connecting! ... Authentication" on the connection, when they double click the entry it ... to connect to this device using the Cisco VPN client. ... VPN client settings in the same manner as the 501, ... user on the PIX and added the user to the group I created (note I never ... (comp.dcom.sys.cisco)