VPN client through PIX 501?

Discussion in 'Cisco' started by Heywood, Nov 3, 2004.

  1. Heywood

    Heywood Guest

    Hey all,

    I just installed a PIX 501 at my house attached to my cable modem. It's
    doing DHCP and PAT just as configured. All users on my internal LAN can get
    to the Net as expected. However, I cannot get my Cisco VPN client to
    connect to the office without modifying the PIX config. The client connects
    and authenticates, but no traffic is passed between networks. I know I
    could do a site-to-site VPN between my 501 and my 3000, but I don't want to
    expose my office to my home LAN and vice-versa.

    My config on the PIX is very standard. To permit outbound access I...
    global (outside) 2 interface
    nat (inside) 2 192.168.1.0 255.255.255.0 0 0

    I launch the VPN client on a machine behind the PIX and connect to the 3000.
    It authenticates me and completes the VPN negotiation. At this point, no
    traffic will pass through the VPN and the PIX generates...
    305006: portmap translation creation failed for protocol 50 src
    inside:192.168.1.100 dst outside:(IP of my VPN)

    I can work around this by creating a static from my current public IP to the
    ..100 inside IP and an ACL to permit ESP inbound, but who wants to do that?
    And when I do, it prevents all other machines on the inside network from
    being able to get outside. (And yes, I know why. :)

    Any suggestions? I've combed the Cisco site and googled many things. I
    can't figure out why the traffic is failing in the outbound direction since
    my NAT and global commands should be letting all traffic out. I do not have
    an outbound access list applied to the inside interface. I also have a hard
    time believing you can't use the Cisco VPN client from behind a PIX. Oh,
    and I have tried using the sysopt connect permit ipsec command.

    Any and all help is greatly appreciated!

    Thanks
     
    Heywood, Nov 3, 2004
    #1
    1. Advertisements

  2. Martin Bilgrav, Nov 4, 2004
    #2
    1. Advertisements

  3. Heywood

    Harry Guest

    you need to configure nat-traversal on the 501
     
    Harry, Nov 4, 2004
    #3
  4. Heywood

    Dominic Guest

    Hi,

    Do your remote network (behind VPN3000) it's the same that your home
    network (behind PIX) i.e. 192.168.1.0/24?

    If it's the case, you must add a new route on your local workstation
    and tell your routing table to route all traffic for 192.168.1.0/24 or
    specific host i.e. 192.168.1.x/32 to point on your VPN interface [email protected]
    Lets say, If your local VPN client receive [email protected] 172.16.0.1 from the
    VPN3000 the new route must be:

    From DOS command prompt:

    (All subnet)
    route add 192.168.1.0 mask 255.255.255.0 172.16.0.1
    or
    (Only one host)
    route add 192.168.1.x mask 255.255.255.255 172.16.0.1

    Test it!
    Dominic
     
    Dominic, Nov 4, 2004
    #4
  5. Heywood

    none Guest

    Add the following command to your PIX ...

    fixup protocol esp-ike

    This will allow you to use a Cisco VPN Client to VPN out.

    Note: If you are using this command you won't be able to use your PIX as a
    VPN endpoint - I.E. use the Cisco VPN client outside your PIX to VPN into
    your PIX.
     
    none, Nov 6, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.