Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN connection to offsite location through local PIX?

Reply
Thread Tools

VPN connection to offsite location through local PIX?

 
 
ChrisAllen
Guest
Posts: n/a
 
      06-29-2004
Hello,
I'm trying to connect to a VPN at another location, however it is not
working through the PIX firewall we have. If I try it from outside the
PIX, no problem. I have 4 users who want to access the same VPN, but
only 1 static IP, can I do this or will only 1 machine be able to
access the VPN?
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      06-29-2004
In article <(E-Mail Removed) >,
ChrisAllen <(E-Mail Removed)> wrote:
:I'm trying to connect to a VPN at another location, however it is not
:working through the PIX firewall we have. If I try it from outside the
IX, no problem. I have 4 users who want to access the same VPN, but
nly 1 static IP, can I do this or will only 1 machine be able to
:access the VPN?

There are configurations under which it -can- work, but it depends
how the VPN is configured (on both ends) and it depends on your
PIX software version.

Best case for you would be pIX 6.3(1) or later, IPSec as the
VPN, enable isakmp nat-traversal and ensure that udp 500 and
udp 4500 and a negotiated UDP port are open from security gateway
to security gateway.

Worse case for you would be PPTP or software which is 6.2 or
earlier. PPTP needs GRE (IP protocol 47), which older PIXes
had no way to forward at all [assuming a single outside IP],
and as of 6.3(1) can still only forward to one device at a time.


--
We don't need no side effect-ing
We don't need no scope control
No global variables for execution
Hey! Did you leave those args alone? -- decvax!utzoo!utcsrgv!roderick
 
Reply With Quote
 
 
 
 
Tim Levy
Guest
Posts: n/a
 
      07-02-2004
Hi Chris,

> I'm trying to connect to a VPN at another location, however it is not
> working through the PIX firewall we have. If I try it from outside the
> PIX, no problem. I have 4 users who want to access the same VPN, but
> only 1 static IP, can I do this or will only 1 machine be able to
> access the VPN?


From what you say, it sounds as if you are using a software VPN client on
the four users' machines, and a pre-existing VPN server against which you
need the clients to be able to work. If you have only one static IP on the
outside of the PIX then, presumably, you are using PAT to give your users
access to the outside.

If the external VPN server is using PPTP (ie your users are using PPTP
clients, for example the PPTP option on the VPN connectoid that comes
built-in to Win 2k or XP), then you: (1) need to be running PIX firmware 6.3
and, (2) need to have the PPTP fixup enabled with:

fixup protocol pptp 1723

in order to get your users' outbound PPTP connections to work over PAT in
the PIX. From memory, I think the PPTP fixup is not enabled by default.

See the write-up in:

http://www.cisco.com/en/US/products/..._configuration
_example09186a0080094a5a.shtml

and have a look at the section in there entitled 'Background theory'.

I hope that helps.

Tim Levy
London


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Location, location, location =?Utf-8?B?VHJhY2V5?= Wireless Networking 2 02-17-2007 08:37 PM
Can you insert a graphic offsite? Noel S Pamfree HTML 39 12-17-2005 07:23 PM
sending form data (like Post method) to a location offsite jeselvis_the_king@yahoo.com ASP General 0 09-22-2005 03:27 PM
Help me to play Applet offsite Jenny Java 2 12-08-2004 11:58 PM
Re: Post to offsite page from the middle of a server-side form: impossible? Rick Spiewak ASP .Net 1 07-22-2003 04:40 AM



Advertisments