Comments on: cisco vpn client outbound through PIX

By: Brianna Proehl

Brianna Proehl — Thu, 04 Feb 2010 16:24:12 +0000

Very nice article.. Thanks for sharing..

By: astronomer

astronomer — Fri, 08 Apr 2005 15:05:15 +0000

Does the person at your location have a public address? If so, you can use the rules we have to let IPsec come in from to a distant PIX thru our PIX.
Here they are:
access-list outside_access_in remark inside ipsec clients to external pix
access-list outside_access_in permit udp host xx.xx.xx.xx xx.xx.xx.0 255.255.240.0 eq isakmp
access-list outside_access_in permit esp host xx.xx.xx.xx xx.xx.xx.0 255.255.240.0
We have a default rule letting nearly everything out, (I want to tighten this in the future).
Another rule we have is: sysopt connection permit-ipsec
Actually we just clicked the bypass access check for ipsec and l2tp in the GUI.
These rules allow IPsec both ways to the other organizations PIX without NAT.
If you are NATing then you need to decide whether you want to tunnel the IPsec under TCP or UDP. A hint here is the port you specified. When you encapsulate IPsec under TCP with an easy vpn client the default port is 10000. I would try opening this TCP port both ways between the client and the other campany’s PIX and make sure your PIX is set to allow IPsec thru it. Our cisco instructor said if you don’t tell the PIX to let IPsec thru, it will kill any encrypted packets it sees.
I can’t promise this will work because we don’t NAT our addresses.
rt

By: r8escjohn

r8escjohn — Fri, 08 Apr 2005 11:33:22 +0000

Here is the rule I put in our PIX 501 to allow VPN from Inside:
Permit->Source IP Address 0.0.0.0 :Outside->IP Prot ESP->Dest IP Address 0.0.0.0 Inside
Hope this info helps!

By: andy11983

andy11983 — Fri, 08 Apr 2005 09:13:50 +0000

Hi,

Thanks for all your help its much appreciated,

I dont know what is at the other end of vpn. The IT guy who set up the vpn client – told me to open port 10000 which i have done (he was really bossy) and now hes giving me grief because the client wont connect.

Anyway the client uses several machines withing an office (which is a seperate vlan).

We have ACL’S in place for regular traffic and ports etc (port 80 and 21) how do i go about setting thi sup for IPSEC ? is it difficult to do?

Thanks for all your help again

Thanks

Andy

By: defcharge

defcharge — Fri, 08 Apr 2005 05:11:11 +0000

I apologize for my previous answer. I read your message wrong. Please disregard my previous answer.

As far as your dilemma. If you have a static address to provide this user then it will be easy, setup a conduit or acl to allow this user ip address to pass IPSEC traffic to his VPN device. Is the device on the other end a Cisco VPN concentrator or Pix firewall? the ports for that type of access is usually UDP 500, UDP 4500, and 10000. There are also some other protocols such as esp, ah, gre, and isakmp. You may want to check those ports to ensure you have the ability to receive that type of traffic on your firewall. PPTP is a MS protocol its not used on Cisco VPN clients.

By: defcharge

defcharge — Fri, 08 Apr 2005 04:42:53 +0000

You must setup crypto maps to use the Pix VPN. If you do not Cisco VPN clients connecting using VPN will not work. You can either use EasyVPN or Crypto Maps. I would suggest this article for samples. Its pretty easy.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

By: defcharge

defcharge — Fri, 08 Apr 2005 04:41:42 +0000

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml