RE: [fw-wiz] Cisco VPN client behind a Netscreen

• Previous message: Monkey Boy: "Re: [fw-wiz] trusted & untrusted ports"
• In reply to: Melson, Paul: "RE: [fw-wiz] Cisco VPN client behind a Netscreen"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Mon, 10 Nov 2003 23:30:08 -0800

If you have OS v2.6., then you have to use MIPs, in v3.x and v4.x there
is setting Configure->"Bypass-others-ipsec"

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Melson,
Paul
Sent: Thursday, November 06, 2003 5:45 AM
To: Aram Smith; firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] Cisco VPN client behind a Netscreen

Aram,

You do not need to create an IPSec policy on the NetScreen for VPN
clients that are passing through it. (The same would be true if you had
a VPN concentrator behind it and users were connecting inbound from the
Internet.)

This problem most likely has to do with source port translation being
performed by the NetScreen as part of its NAT rules for outbound
traffic. The PIX will likely complain if the source port of the VPN
client connection isn't 500 or 4500 as appropriate and prevent the
tunnel from coming all the way up. The best fix for this is to upgrade
the PIX OS version to a current release and enable the 'isakmp
nat-traversal' feature.

However, since you don't have control over the PIX, another solution
would be to configure a static NAT (NetScreen calls this MIP, or Mapped
IP?) for just the VPN client workstation's IP address to an otherwise
unused IP address on the firewall's outside subnet. This should prevent
the source port from being modified when making the connection.

Good luck!

PaulM

-----Original Message-----
I have recently implemented a Netscreen 50 and I have users behind it
that use a Cisco VPN client to connect to a Cisco Pix which I have no
control over. Their VPN client is not functioning properly. Currently I
have a policy allowing outbound traffic any from all inside. Does anyone
know if I also need to create an IPSEC policy for inbound traffic?
Thanks, Aram Smith _______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Monkey Boy: "Re: [fw-wiz] trusted & untrusted ports"
• In reply to: Melson, Paul: "RE: [fw-wiz] Cisco VPN client behind a Netscreen"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router ... I have configured a Cisco VPN Client to connect to a Cisco PIX ... isakmp policy 10 authentication pre-share ... (Firewall-Wizards) [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason ... Well, after researching, configuring, reconfiguring, and just a bit ... the vpn client through the SecureWay firewall. ... The PiX is outside the firewall, on its own line/lines (explained in a ... the vpn eventually) can access the internet fine. ... (Firewall-Wizards) RE: [fw-wiz] Pix 501 & 506 PixOS 7.0 compatability ... The info I got from a Cisco Security SE is that the 501 and 506 will support ... >>I am trying to configure a cisco pix as a vpn endpoint for the cisco ... >independent of anything the PIX or VPN client do. ... (Firewall-Wizards) Re: no internet when connected to pix with vpn client ... Take a look at this Configuring Cisco Secure PIX and VPN Client Doc: ... (comp.dcom.sys.cisco) RE: [fw-wiz] PIX 515 and Cisco VPN client from inside ... >terminating the tunnels at the PIX. ... The tunnels are easily created if we work outside our PIX. ... for the connection definition in the vpn client, otherwise, the payload ... (Firewall-Wizards)