Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > allowing IPSEC traffic through Pix 515E

Reply
Thread Tools

allowing IPSEC traffic through Pix 515E

 
 
johnreyre@yahoo.com
Guest
Posts: n/a
 
      02-07-2005
ok,

I have searched high and low for this answer and cannot find anything
like this. I have a vendor that requires us to use thier VPN device to
connect to thier network. This device is configured to ping an
external server and if there is a response to connect to the secure
server located there over the internet. If there is no response then
it completes a dial backup. only certain clients have access to the
VPN device, routing is working because if I turn the pings off the
clients can access the web server successfully over the dial backup.
When I turn ping back on we get a page cannot be displayed error (i am
seeing the ping successes), meaning the IPSEC tunnel is not making it
through the firewall. IAW with vendor instructions I have enabled
ESP-IKE fixup protocol and created static rules for port 50 and 500

My questions follow,

1. what am I missing?
I found references to ISAKMP NAT traversal, but in order to enable
that I need to disable the ESP-IKE protocol. I only have one client on
the inside of the firewall that is creating and accessing the tunnel
(the users connect through this device) everything I have found on
ESP-IKE is that it should work.
2. Is there another port I need to enable?
3. The bottom line is I want to allow the IPSEC tunnel from the
internal device to pass through the firewall untouched.

I do not have access at all to the vendor device

rules
static (inside,outside) udp interface isakmp 192.168.1.251 isakmp
netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 500 192.168.1.251 500 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 50 192.168.1.251 50 netmask
255.255.255.255 0 0
map

PIX 515E 192.168.1.254
|
|
Switch
|
|
Vendor Device (cisco 1711) 192.168.1.251

Thanks in advance for all your help
John

 
Reply With Quote
 
 
 
 
Dumbkid
Guest
Posts: n/a
 
      02-07-2005
Here is a sample for configuring PIX to allow IPSec thru.

http://www.cisco.com/en/US/tech/tk58...8009486e.shtml

You only need to permit ESP protocol and udp 500 port (ISAKMP) from outside.


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> ok,
>
> I have searched high and low for this answer and cannot find anything
> like this. I have a vendor that requires us to use thier VPN device to
> connect to thier network. This device is configured to ping an
> external server and if there is a response to connect to the secure
> server located there over the internet. If there is no response then
> it completes a dial backup. only certain clients have access to the
> VPN device, routing is working because if I turn the pings off the
> clients can access the web server successfully over the dial backup.
> When I turn ping back on we get a page cannot be displayed error (i am
> seeing the ping successes), meaning the IPSEC tunnel is not making it
> through the firewall. IAW with vendor instructions I have enabled
> ESP-IKE fixup protocol and created static rules for port 50 and 500
>
> My questions follow,
>
> 1. what am I missing?
> I found references to ISAKMP NAT traversal, but in order to enable
> that I need to disable the ESP-IKE protocol. I only have one client on
> the inside of the firewall that is creating and accessing the tunnel
> (the users connect through this device) everything I have found on
> ESP-IKE is that it should work.
> 2. Is there another port I need to enable?
> 3. The bottom line is I want to allow the IPSEC tunnel from the
> internal device to pass through the firewall untouched.
>
> I do not have access at all to the vendor device
>
> rules
> static (inside,outside) udp interface isakmp 192.168.1.251 isakmp
> netmask 255.255.255.255 0 0
> static (inside,outside) tcp interface 500 192.168.1.251 500 netmask
> 255.255.255.255 0 0
> static (inside,outside) tcp interface 50 192.168.1.251 50 netmask
> 255.255.255.255 0 0
> map
>
> PIX 515E 192.168.1.254
> |
> |
> Switch
> |
> |
> Vendor Device (cisco 1711) 192.168.1.251
>
> Thanks in advance for all your help
> John
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple IPSEC Tunnels into common PIX 515e Jim.Seedlenissip@gmail.com Cisco 2 02-21-2007 10:40 AM
VPN IPsec between two PIX 515E firewalls John Strow Cisco 1 01-19-2007 02:29 AM
PIX 515 to PIX 515e not passing traffic Scott Townsend Cisco 6 05-25-2006 11:03 AM
Help with Pix 515E firewall and allowing Outbound VPNs Kilgore Troute Cisco 1 08-26-2004 08:41 PM
filtering ipsec traffic pix to pix Martin Eden Cisco 2 01-14-2004 12:22 PM



Advertisments