Re: Pix VPN client question

From: Lucy (lucy@nospam.com)
Date: 05/18/02 

From: "Lucy" <lucy@nospam.com>
Date: Sat, 18 May 2002 15:41:32 +0200

Hi Michael

Thx for your answer. Unfortunately you have misunderstood my actual
question.

The IAS server, and access to it, works like a charm. I can make a
connection to the IAS/LAN behind the Pix 506 if I place my PC outside my own
Pix501, but i can't connect to it if I sit behind my own firewall.

My problem is, how to allow a Cisco VPN klient on my net to go through my
own private Pix501 and make a connection to i.e. the IAS server on the
Pix506 (or just make an VPN connection to any Pix).

In other words, how to set permissions on my Pix501 to use a VPN client from
the inside. I want to be able to make VPN connections to different Pix50x
(VPN tunneling between Pix-Pix is not an option). Is it possible?

Lucy

"Michael Sherman" <m-sherman.spam@cox.net> wrote in message
news:j98beuoglrg81345apkobub8rhtrki2lm9@4ax.com...
> You would use access-lists (Conduit would work too - but we are not
> the Flinstones) - You could do one of two things - either open it wide
> from outside in (Not reccomeneded) or you could have the connections
> redirect to your IAS server. To do the redirect you would have to
> create static routes from the outside address to your IAS server then
> create access-lists and an access-group.
>
> Been a bit so not sure this context is exactly right, but should get
> you pointed in the right direction.
>
> Static route would be:
>
> static (inside,outside) "outside address here" "IAS address here"
> netmask "netmask of the IAS server here"
>
> The above will handle the static translation from outside to inside.
>
> Static routes would be:
>
> access-list out permit ip any host "IASServer" eq 50
> access-list out permit ip any host "IASServer" eq 51
> access-list out permit UDP any host "IASServer" eq 500
>
> Global Group would be: (To bind your "out" access-list to the outside
> interface)
>
> Global out in inside
>
>
> I think there is more for adding the global group - it escapes me
> right now. I am not the best on PIX. Either way, this should point
> you in the right direction.
>
> -Mike Sherman-
>
> On Tue, 14 May 2002 00:00:38 +0200, "JON" <jon@nospam.com> wrote:
>
> >Hi Michael
> >
> >Thank you very much for your input.
> >
> >Do you know which commands to run on the Pix to enable protocol 50, 51
and
> >UDP 500? I know my way around a Pix...but thats about it. If I should
allow
> >i.e. IP protocl 50 I could make an access-list, but how do you enable a
> >protocol through an access-list or conduit? Do you know the precise
entries
> >on the Pix (or relevant reading material. I am willing to do my own study
if
> >someone would point me in the right direction ;o) ).
> >
> >But again thx for your help so far.
> >
> >Best regards
> >JON
> >
> >"Michael Sherman" <m-sherman.spam@cox.net> wrote in message
> >news:m6mtduge55i9jsac8bppmc1uf338vrhda9@4ax.com...
> >> If it is IPSec compliant - Which I beleive it is, You will need the
> >> following open to allow it to pass through your FW.
> >>
> >> IP 50
> >> IP 51
> >> UDP 500
> >>
> >> These are your ISAKMP/IKE Ports. Should work fine with that.
> >>
> >> On Sat, 11 May 2002 03:27:08 +0200, "JON" <JON@nah.com> wrote:
> >>
> >> >Hi,
> >> >
> >> >One question.
> >> >
> >> >Setup:
> >> >- An office behind a Pix 506 with VPN enabled, configured to use a IAS
> >> >server for authentication.
> >> >- I am sitting behind a Pix 501 and would like to connect to the above
> >> >mentioned office with the Cisco VPN client. Making a VPN tunnel
between
> >the
> >> >two Pix isn't an option.
> >> >
> >> >What do I have to open on my Pix firewall to be able to use the VPN
> >client
> >> >through my firewall? (I would apreciate if you would state the correct
> >> >config lines or help me find some reading materials).
> >> >
> >> >Thx in advance.
> >> >
> >> >JON
> >> >
> >>
> >>
> >>
> >> m-sherman-spam@cox.net
> >> --------------------------
> >> Remove the -spam for email
> >
>
>
>
> m-sherman-spam@cox.net
> --------------------------
> Remove the -spam for email

Relevant Pages

  • Re: Pix VPN client question
    ... The IAS server, and access to it, works like a charm. ... connection to the IAS/LAN behind the Pix 506 if I place my PC outside my own ... Pix506 (or just make an VPN connection to any Pix). ... > create access-lists and an access-group. ...
    (comp.security.firewalls)
  • Re: Cached credentials and password expiration
    ... >> We know that given the current VPN connection method, ... >> access to a domain controller during the logon process. ... >> are connected to the VPN on a very regular basis, ... There is no IAS server in place in this environment currently; ...
    (microsoft.public.windows.server.active_directory)
  • RE: PPTP VPN connection problems
    ... Since you want to contact your local MS support for help, ... Additional, you can establish the VPN connection from internal client, that ... | A ping to the server would result in "Request timed out". ...
    (microsoft.public.windows.server.sbs)
  • RE: PPTP VPN connection problems
    ... But I do not think it is in the ADSL router itself. ... They do not say it but maybe they prohibit VPN connections ... fix IP for my connection – PPPoE/PPPoA) subscription at belgacom in Belgium ... | A ping to the server would result in "Request timed out". ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Client
    ... Thanks for the help on losing the remote connection when you connect to VPN. ... Regarding the router port forward issue, you should point the port 1723 to ...
    (microsoft.public.windows.server.sbs)