vpn client behind PIX 501

Discussion in 'Cisco' started by tractng@gmail.com, May 31, 2005.

  1. Guest

    Guys,

    I am trying to set a vpn (client)for my wife to connect to her work.

    The vpn client is "Secure VPN Client - Mobile User VPN". What do i need
    to do on my end if I have a pix 501 (version PIX Version 6.3(1). I am
    initiating the connection behind my pix.

    As of now, I just have the defualt setup.

    I am getting the following log errors:

    everity (3) 305006: portmap translation creation failed for protocol 50
    scr inside: 192.168.x.xx dst outside:66.12.xx.xxx

    Severity (6) 305012: teardown dynamic UDP translation from
    indisde:192.168.x.xx/500 to outside:66.159.xx.xx/12 duration 0:01:32

    btw, I really don't know what my wife work place is using besides the
    vpn client that was given to her to install. Once the vpn client is
    installed, she then use Citrix to connect through the VPN. I am
    assuming it is IPSEC compliant.

    Thanks in advance.

    Tony
     
    , May 31, 2005
    #1
    1. Advertising

  2. <> wrote:

    > The vpn client is "Secure VPN Client - Mobile User VPN". What do i
    > need to do on my end if I have a pix 501 (version PIX Version 6.3(1).


    What you need is

    fixup protocol esp-ike

    but you can use it only if you don't have any VPN tunnels
    from your PIX. And I'm not quite sure that this feature
    exists in 6.3(1).

    Please check the release notes from

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/index.htm
     
    Jyri Korhonen, Jun 1, 2005
    #2
    1. Advertising

  3. Guest

    Jyri,

    I will give it a try tonight when I get out of work.


    Thanks,
    Tony
     
    , Jun 1, 2005
    #3
  4. Guest

    Guys,

    I have tried with Jyri suggested:

    fixup protocol esp-ike

    Now, I am getting message from the log.

    106010: Deny inbound protocol 50 scr outside:66.12.xx.xxx dst
    inside:66.159.xxx.xx

    Do I allow protocol 50 through my pix? How is the syntax?

    btw, 66.12.xx.xxx (GW VPN that i am trying to connect) and
    66.159.xxx.xx (my public ip assigned by ISP).

    Thanks in advance.
    Tony
     
    , Jun 2, 2005
    #4
  5. oTTo Guest

    <> wrote in message
    news:...
    > Guys,
    >
    > I have tried with Jyri suggested:
    >
    > fixup protocol esp-ike
    >
    > Now, I am getting message from the log.
    >
    > 106010: Deny inbound protocol 50 scr outside:66.12.xx.xxx dst
    > inside:66.159.xxx.xx
    >
    > Do I allow protocol 50 through my pix? How is the syntax?
    >
    > btw, 66.12.xx.xxx (GW VPN that i am trying to connect) and
    > 66.159.xxx.xx (my public ip assigned by ISP).
    >
    > Thanks in advance.
    > Tony
    >


    access-list acl_outbound permit esp any any
    access-list acl_outbound permit udp any any eq isakmp
    access-list acl_outbound permit udp any any eq 4500

    access-group acl_outbound in interface inside
     
    oTTo, Jun 2, 2005
    #5
  6. oTTo Guest

    <> wrote in message
    news:...
    > Guys,
    >
    > I have tried with Jyri suggested:
    >
    > fixup protocol esp-ike
    >
    > Now, I am getting message from the log.
    >
    > 106010: Deny inbound protocol 50 scr outside:66.12.xx.xxx dst
    > inside:66.159.xxx.xx
    >
    > Do I allow protocol 50 through my pix? How is the syntax?
    >
    > btw, 66.12.xx.xxx (GW VPN that i am trying to connect) and
    > 66.159.xxx.xx (my public ip assigned by ISP).
    >
    > Thanks in advance.
    > Tony
    >


    access-list acl_outbound permit esp any any
    access-list acl_outbound permit udp any any eq isakmp
    access-list acl_outbound permit udp any any eq 4500

    access-group acl_outbound in interface inside
     
    oTTo, Jun 2, 2005
    #6
  7. Guest

    Otto,

    I am still getting the same error message:

    106010: Deny inbound protocol 50 scr outside:66.12.xx.xxx dst
    inside:66.159.xxx.xx

    Do I need to have an additional config statement for each of the
    following you provide above for something like this:

    static (inside,outside) 66.159.xxx.xx esp 192.168.1.2 esp
    255.255.255.255>

    In addition, I would get many different error messages like below (i
    would lose connection to the internet):

    106023: deny udp src inside: 192.168.1.2/1102 dst
    outside:217.12.4.104/53 by access-group "acl_outbound"

    Thanks,
    Tony
     
    , Jun 2, 2005
    #7
  8. jarcar Guest

    oTTo napisa³(a):
    > <> wrote in message
    > news:...
    >
    >>Guys,
    >>
    >>I have tried with Jyri suggested:
    >>
    >>fixup protocol esp-ike
    >>
    >>Now, I am getting message from the log.
    >>
    >>106010: Deny inbound protocol 50 scr outside:66.12.xx.xxx dst
    >>inside:66.159.xxx.xx
    >>


    >
    > access-list acl_outbound permit esp any any
    > access-list acl_outbound permit udp any any eq isakmp
    > access-list acl_outbound permit udp any any eq 4500
    >
    > access-group acl_outbound in interface inside


    Forget about those access-list

    All you need is "isakmp nat-traversal"

    You have to enable it - that's all.

    check
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1108077


    regards jarcar
     
    jarcar, Jun 2, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Corbin O'Reilly
    Replies:
    2
    Views:
    3,193
    Corbin O'Reilly
    May 26, 2004
  2. Tomi
    Replies:
    3
    Views:
    1,953
  3. Nick
    Replies:
    2
    Views:
    2,430
  4. D K
    Replies:
    4
    Views:
    477
  5. cisco
    Replies:
    3
    Views:
    386
    Martin Bilgrav
    Feb 21, 2007
Loading...

Share This Page