Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: Easy Question (I hope...)

Reply
Thread Tools

Re: Easy Question (I hope...)

 
 
Walter Roberson
Guest
Posts: n/a
 
      07-10-2003
In article <(E-Mail Removed)>,
Joe Giddings <(E-Mail Removed)> wrote:
:Ok, I need to get my PIX 501 firewall to trust an outside company's ip
:address. They have provided a VPN client to attach to their system to
rocess data quicker and easier. I have played with the firewall configs
:until I am red with anger, but I still cannot get the VPN to connect.

:Say the IP address of the outside site is (public).74. What do I need to
:do? This seems like a simple procedure, but I cannot figure it out to save
:my life!

You need to find out what protocols that particular VPN client
requires. Typically, that's some subnet of:

- udp isakmp
- udp 4500
- tcp 1723
- ip protocol esp
- ip protocol ah
- ip protocol gre

If you are using an access-list on the inside interface, you will
need to permit all the appropriate protocols out. The default is to
allow everything out if you do not have an access-list applied to the
inside interface.

You may (but not -always-) need to create a static translation
for the hosts that need to go to the remote system. If you only
have a single public IP address for your PIX 501, then you are not
going to be able to create a static translation that uses esp, ah, or
gre; in this situation, you might be able to get further with 6.3(1).

You will need to set the outside interface access-list to allow through
the appropriate protocols [except tcp 1723] to the PC. tcp 1723 will
be handled automatically by PIX's adaptive security.

Depending on exactly which protocols the VPN needs, you might be able
to use PAT instead of a static IP address. If, though, you are using
PAT, you will not be able to use AH unless you are using PIX 6.3(1)
with NAT-T [which is relatively new and not widely supported.]
You cannot use PAT with GRE at all, and you cannot use PAT with ESP
unless you are using 6.3(1) and use the new esp fixup, and even then
you will only be able to use one VPN client machine at a time.
--
*We* are now the times. -- Wim Wenders (WoD)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is it reasonably easy easy to something like this with python? Bruno Desthuilliers Python 5 08-29-2007 07:40 AM
Stripping audio from qa DVD. Easy or not so easy? GJ Computer Support 1 05-23-2007 02:03 AM
Shared folders - easy question JLunis Wireless Networking 7 03-11-2005 11:33 PM
easy to look at and easy to maintain web page menuing system. Hazzard ASP .Net 2 04-06-2004 03:51 AM



Advertisments