VPN connection to offsite location through local PIX?

Discussion in 'Cisco' started by ChrisAllen, Jun 29, 2004.

  1. ChrisAllen

    ChrisAllen Guest

    Hello,
    I'm trying to connect to a VPN at another location, however it is not
    working through the PIX firewall we have. If I try it from outside the
    PIX, no problem. I have 4 users who want to access the same VPN, but
    only 1 static IP, can I do this or will only 1 machine be able to
    access the VPN?
    ChrisAllen, Jun 29, 2004
    #1
    1. Advertising

  2. In article <>,
    ChrisAllen <> wrote:
    :I'm trying to connect to a VPN at another location, however it is not
    :working through the PIX firewall we have. If I try it from outside the
    :pIX, no problem. I have 4 users who want to access the same VPN, but
    :eek:nly 1 static IP, can I do this or will only 1 machine be able to
    :access the VPN?

    There are configurations under which it -can- work, but it depends
    how the VPN is configured (on both ends) and it depends on your
    PIX software version.

    Best case for you would be pIX 6.3(1) or later, IPSec as the
    VPN, enable isakmp nat-traversal and ensure that udp 500 and
    udp 4500 and a negotiated UDP port are open from security gateway
    to security gateway.

    Worse case for you would be PPTP or software which is 6.2 or
    earlier. PPTP needs GRE (IP protocol 47), which older PIXes
    had no way to forward at all [assuming a single outside IP],
    and as of 6.3(1) can still only forward to one device at a time.


    --
    We don't need no side effect-ing
    We don't need no scope control
    No global variables for execution
    Hey! Did you leave those args alone? -- decvax!utzoo!utcsrgv!roderick
    Walter Roberson, Jun 29, 2004
    #2
    1. Advertising

  3. ChrisAllen

    Tim Levy Guest

    Hi Chris,

    > I'm trying to connect to a VPN at another location, however it is not
    > working through the PIX firewall we have. If I try it from outside the
    > PIX, no problem. I have 4 users who want to access the same VPN, but
    > only 1 static IP, can I do this or will only 1 machine be able to
    > access the VPN?


    From what you say, it sounds as if you are using a software VPN client on
    the four users' machines, and a pre-existing VPN server against which you
    need the clients to be able to work. If you have only one static IP on the
    outside of the PIX then, presumably, you are using PAT to give your users
    access to the outside.

    If the external VPN server is using PPTP (ie your users are using PPTP
    clients, for example the PPTP option on the VPN connectoid that comes
    built-in to Win 2k or XP), then you: (1) need to be running PIX firmware 6.3
    and, (2) need to have the PPTP fixup enabled with:

    fixup protocol pptp 1723

    in order to get your users' outbound PPTP connections to work over PAT in
    the PIX. From memory, I think the PPTP fixup is not enabled by default.

    See the write-up in:

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration
    _example09186a0080094a5a.shtml

    and have a look at the section in there entitled 'Background theory'.

    I hope that helps.

    Tim Levy
    London
    Tim Levy, Jul 2, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David Musashi
    Replies:
    2
    Views:
    4,026
    an admin too
    Oct 21, 2004
  2. Replies:
    0
    Views:
    1,797
  3. K.J. 44
    Replies:
    0
    Views:
    562
    K.J. 44
    Sep 12, 2006
  4. =?Utf-8?B?VHJhY2V5?=

    Location, location, location

    =?Utf-8?B?VHJhY2V5?=, Feb 17, 2007, in forum: Wireless Networking
    Replies:
    2
    Views:
    626
    Jack \(MVP-Networking\).
    Feb 17, 2007
  5. JohnTompson

    Routing for offsite DSL

    JohnTompson, Sep 20, 2007, in forum: Cisco
    Replies:
    0
    Views:
    322
    JohnTompson
    Sep 20, 2007
Loading...

Share This Page