cisco vpn client outbound through PIX

pts.
Tags:
Cisco
DataCenter
Help Desk
Networking
VPN
Hi we havae a client in our company who needs to access his works VPN through our firewall. He is using the latest cisco vpn client. The client software was configured by somebody else,not by myself. I have opened the ports specified by the other person (tcp 10000) on our PIX firewall - but our client still cannot connect to his vpn. The default setting on the client was set to the NAT/PAT option, and when i tried to connect to his vpn - it resulted with " secure vpn connection terminated by localy by client: Reason 412 - Remote peer isno longer responding " I then changed it to IpSec Tcp option i get the message " secure vpn connection terminated by localy by client: Reason 414 - failed to establish tcp connection " Appreciate any help as it's all new to me. Thanks Andy

Answer Wiki

Thanks. We'll let you know when a new response is added.

Check to see that you have the fixup protocol configured.

fixup protocol pptp 1723

Magnus

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Defcharge
    You must setup crypto maps to use the Pix VPN. If you do not Cisco VPN clients connecting using VPN will not work. You can either use EasyVPN or Crypto Maps. I would suggest this article for samples. Its pretty easy. http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml
    0 pointsBadges:
    report
  • Defcharge
    You must setup crypto maps to use the Pix VPN. If you do not Cisco VPN clients connecting using VPN will not work. You can either use EasyVPN or Crypto Maps. I would suggest this article for samples. Its pretty easy. http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml
    0 pointsBadges:
    report
  • Defcharge
    I apologize for my previous answer. I read your message wrong. Please disregard my previous answer. As far as your dilemma. If you have a static address to provide this user then it will be easy, setup a conduit or acl to allow this user ip address to pass IPSEC traffic to his VPN device. Is the device on the other end a Cisco VPN concentrator or Pix firewall? the ports for that type of access is usually UDP 500, UDP 4500, and 10000. There are also some other protocols such as esp, ah, gre, and isakmp. You may want to check those ports to ensure you have the ability to receive that type of traffic on your firewall. PPTP is a MS protocol its not used on Cisco VPN clients.
    0 pointsBadges:
    report
  • Andy11983
    Hi, Thanks for all your help its much appreciated, I dont know what is at the other end of vpn. The IT guy who set up the vpn client - told me to open port 10000 which i have done (he was really bossy) and now hes giving me grief because the client wont connect. Anyway the client uses several machines withing an office (which is a seperate vlan). We have ACL'S in place for regular traffic and ports etc (port 80 and 21) how do i go about setting thi sup for IPSEC ? is it difficult to do? Thanks for all your help again Thanks Andy
    0 pointsBadges:
    report
  • R8escjohn
    Here is the rule I put in our PIX 501 to allow VPN from Inside: Permit->Source IP Address 0.0.0.0 :Outside->IP Prot ESP->Dest IP Address 0.0.0.0 Inside Hope this info helps!
    0 pointsBadges:
    report
  • Astronomer
    Does the person at your location have a public address? If so, you can use the rules we have to let IPsec come in from to a distant PIX thru our PIX. Here they are: access-list outside_access_in remark inside ipsec clients to external pix access-list outside_access_in permit udp host xx.xx.xx.xx xx.xx.xx.0 255.255.240.0 eq isakmp access-list outside_access_in permit esp host xx.xx.xx.xx xx.xx.xx.0 255.255.240.0 We have a default rule letting nearly everything out, (I want to tighten this in the future). Another rule we have is: sysopt connection permit-ipsec Actually we just clicked the bypass access check for ipsec and l2tp in the GUI. These rules allow IPsec both ways to the other organizations PIX without NAT. If you are NATing then you need to decide whether you want to tunnel the IPsec under TCP or UDP. A hint here is the port you specified. When you encapsulate IPsec under TCP with an easy vpn client the default port is 10000. I would try opening this TCP port both ways between the client and the other campany's PIX and make sure your PIX is set to allow IPsec thru it. Our cisco instructor said if you don't tell the PIX to let IPsec thru, it will kill any encrypted packets it sees. I can't promise this will work because we don't NAT our addresses. rt
    15 pointsBadges:
    report
  • Andy11983
    Very nice article.. Thanks for sharing..
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following