VPN client through PIX 501?

Hey all,

I just installed a PIX 501 at my house attached to my cable modem. It's
doing DHCP and PAT just as configured. All users on my internal LAN can get
to the Net as expected. However, I cannot get my Cisco VPN client to
connect to the office without modifying the PIX config. The client connects
and authenticates, but no traffic is passed between networks. I know I
could do a site-to-site VPN between my 501 and my 3000, but I don't want to
expose my office to my home LAN and vice-versa.

My config on the PIX is very standard. To permit outbound access I...
global (outside) 2 interface
nat (inside) 2 192.168.1.0 255.255.255.0 0 0

I launch the VPN client on a machine behind the PIX and connect to the 3000.
It authenticates me and completes the VPN negotiation. At this point, no
traffic will pass through the VPN and the PIX generates...
305006: portmap translation creation failed for protocol 50 src
inside:192.168.1.100 dst outsideIP of my VPN)

I can work around this by creating a static from my current public IP to the
..100 inside IP and an ACL to permit ESP inbound, but who wants to do that?
And when I do, it prevents all other machines on the inside network from
being able to get outside. (And yes, I know why.

Any suggestions? I've combed the Cisco site and googled many things. I
can't figure out why the traffic is failing in the outbound direction since
my NAT and global commands should be letting all traffic out. I do not have
an outbound access list applied to the inside interface. I also have a hard
time believing you can't use the Cisco VPN client from behind a PIX. Oh,
and I have tried using the sysopt connect permit ipsec command.

Any and all help is greatly appreciated!

Thanks

 

I feel with you:

http://www.tek-tips.com/viewthread.cfm?qid=933369&page=2

Make sure you use udp encap on your vpn3000 group config
do a show xlate and see if you udp/500 get PAT'ed to udp/1, /2, /3 or some
small numer or if its udp/500 on both sides.

Check you PIXos version

 

you need to configure nat-traversal on the 501

 

Hi,

Do your remote network (behind VPN3000) it's the same that your home
network (behind PIX) i.e. 192.168.1.0/24?

If it's the case, you must add a new route on your local workstation
and tell your routing table to route all traffic for 192.168.1.0/24 or
specific host i.e. 192.168.1.x/32 to point on your VPN interface [email protected]
Lets say, If your local VPN client receive [email protected] 172.16.0.1 from the
VPN3000 the new route must be:

From DOS command prompt:

(All subnet)
route add 192.168.1.0 mask 255.255.255.0 172.16.0.1
or
(Only one host)
route add 192.168.1.x mask 255.255.255.255 172.16.0.1

Test it!
Dominic

 

Add the following command to your PIX ...

fixup protocol esp-ike

This will allow you to use a Cisco VPN Client to VPN out.

Note: If you are using this command you won't be able to use your PIX as a
VPN endpoint - I.E. use the Cisco VPN client outside your PIX to VPN into
your PIX.