Re: Easy Question (I hope...)

Discussion in 'Cisco' started by Walter Roberson, Jul 10, 2003.

  1. In article <>,
    Joe Giddings <> wrote:
    :Ok, I need to get my PIX 501 firewall to trust an outside company's ip
    :address. They have provided a VPN client to attach to their system to
    :process data quicker and easier. I have played with the firewall configs
    :until I am red with anger, but I still cannot get the VPN to connect.

    :Say the IP address of the outside site is (public).74. What do I need to
    :do? This seems like a simple procedure, but I cannot figure it out to save
    :my life!

    You need to find out what protocols that particular VPN client
    requires. Typically, that's some subnet of:

    - udp isakmp
    - udp 4500
    - tcp 1723
    - ip protocol esp
    - ip protocol ah
    - ip protocol gre

    If you are using an access-list on the inside interface, you will
    need to permit all the appropriate protocols out. The default is to
    allow everything out if you do not have an access-list applied to the
    inside interface.

    You may (but not -always-) need to create a static translation
    for the hosts that need to go to the remote system. If you only
    have a single public IP address for your PIX 501, then you are not
    going to be able to create a static translation that uses esp, ah, or
    gre; in this situation, you might be able to get further with 6.3(1).

    You will need to set the outside interface access-list to allow through
    the appropriate protocols [except tcp 1723] to the PC. tcp 1723 will
    be handled automatically by PIX's adaptive security.

    Depending on exactly which protocols the VPN needs, you might be able
    to use PAT instead of a static IP address. If, though, you are using
    PAT, you will not be able to use AH unless you are using PIX 6.3(1)
    with NAT-T [which is relatively new and not widely supported.]
    You cannot use PAT with GRE at all, and you cannot use PAT with ESP
    unless you are using 6.3(1) and use the new esp fixup, and even then
    you will only be able to use one VPN client machine at a time.
    *We* are now the times. -- Wim Wenders (WoD)
    Walter Roberson, Jul 10, 2003
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Actarus
    Feb 6, 2004
  2. John Cluster

    Basic question, hope you can help

    John Cluster, Jul 20, 2006, in forum: Wireless Networking
    Jul 29, 2006
  3. All Things Mopar

    Easy (I hope) Acronis True Image 9.0 Restore question

    All Things Mopar, Mar 2, 2006, in forum: Computer Support
    old jon
    Mar 5, 2006
  4. GJ
    Meat Plow
    May 23, 2007
  5. Replies: