allowing IPSEC traffic through Pix 515E

Discussion in 'Cisco' started by johnreyre@yahoo.com, Feb 7, 2005.

  1. Guest

    ok,

    I have searched high and low for this answer and cannot find anything
    like this. I have a vendor that requires us to use thier VPN device to
    connect to thier network. This device is configured to ping an
    external server and if there is a response to connect to the secure
    server located there over the internet. If there is no response then
    it completes a dial backup. only certain clients have access to the
    VPN device, routing is working because if I turn the pings off the
    clients can access the web server successfully over the dial backup.
    When I turn ping back on we get a page cannot be displayed error (i am
    seeing the ping successes), meaning the IPSEC tunnel is not making it
    through the firewall. IAW with vendor instructions I have enabled
    ESP-IKE fixup protocol and created static rules for port 50 and 500

    My questions follow,

    1. what am I missing?
    I found references to ISAKMP NAT traversal, but in order to enable
    that I need to disable the ESP-IKE protocol. I only have one client on
    the inside of the firewall that is creating and accessing the tunnel
    (the users connect through this device) everything I have found on
    ESP-IKE is that it should work.
    2. Is there another port I need to enable?
    3. The bottom line is I want to allow the IPSEC tunnel from the
    internal device to pass through the firewall untouched.

    I do not have access at all to the vendor device

    rules
    static (inside,outside) udp interface isakmp 192.168.1.251 isakmp
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 500 192.168.1.251 500 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 50 192.168.1.251 50 netmask
    255.255.255.255 0 0
    map

    PIX 515E 192.168.1.254
    |
    |
    Switch
    |
    |
    Vendor Device (cisco 1711) 192.168.1.251

    Thanks in advance for all your help
    John
     
    , Feb 7, 2005
    #1
    1. Advertising

  2. Dumbkid Guest

    Here is a sample for configuring PIX to allow IPSec thru.

    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml

    You only need to permit ESP protocol and udp 500 port (ISAKMP) from outside.


    <> wrote in message
    news:...
    > ok,
    >
    > I have searched high and low for this answer and cannot find anything
    > like this. I have a vendor that requires us to use thier VPN device to
    > connect to thier network. This device is configured to ping an
    > external server and if there is a response to connect to the secure
    > server located there over the internet. If there is no response then
    > it completes a dial backup. only certain clients have access to the
    > VPN device, routing is working because if I turn the pings off the
    > clients can access the web server successfully over the dial backup.
    > When I turn ping back on we get a page cannot be displayed error (i am
    > seeing the ping successes), meaning the IPSEC tunnel is not making it
    > through the firewall. IAW with vendor instructions I have enabled
    > ESP-IKE fixup protocol and created static rules for port 50 and 500
    >
    > My questions follow,
    >
    > 1. what am I missing?
    > I found references to ISAKMP NAT traversal, but in order to enable
    > that I need to disable the ESP-IKE protocol. I only have one client on
    > the inside of the firewall that is creating and accessing the tunnel
    > (the users connect through this device) everything I have found on
    > ESP-IKE is that it should work.
    > 2. Is there another port I need to enable?
    > 3. The bottom line is I want to allow the IPSEC tunnel from the
    > internal device to pass through the firewall untouched.
    >
    > I do not have access at all to the vendor device
    >
    > rules
    > static (inside,outside) udp interface isakmp 192.168.1.251 isakmp
    > netmask 255.255.255.255 0 0
    > static (inside,outside) tcp interface 500 192.168.1.251 500 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 50 192.168.1.251 50 netmask
    > 255.255.255.255 0 0
    > map
    >
    > PIX 515E 192.168.1.254
    > |
    > |
    > Switch
    > |
    > |
    > Vendor Device (cisco 1711) 192.168.1.251
    >
    > Thanks in advance for all your help
    > John
    >
     
    Dumbkid, Feb 7, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kilgore Troute
    Replies:
    1
    Views:
    2,302
    Martin Bilgrav
    Aug 26, 2004
  2. Paul
    Replies:
    1
    Views:
    3,627
    Walter Roberson
    Dec 6, 2004
  3. Replies:
    2
    Views:
    452
  4. ntst
    Replies:
    1
    Views:
    489
    Walter Roberson
    Mar 23, 2006
  5. ntst
    Replies:
    0
    Views:
    389
Loading...

Share This Page