VPN through PIX to PIX

Discussion in 'Cisco' started by Jason Kau, Jul 24, 2003.

  1. Jason Kau

    Jason Kau Guest

    My PC is behind a PIX 535 (6.3.1) and I want to make a VPN connection from
    my PC to a remote PIX 515E (6.3.1) at a branch office using the Cisco VPN

    There is no NAT being performed anywhere (public IP address space behind
    the PIX 535, public IP address space between the PIXs and public IP
    address space behind the PIX 515E).

    The VPN connection is succesfully negotiated and packets from my PC are
    able to reach the systems behind the remote PIX 515E over the VPN tunnel
    (verified with tcpdump). However, the return traffic flowing back over
    VPN tunnnel is being blocked by the local PIX 535:

    Jul 23 21:23:13 pix-535 %PIX-4-106023: Deny protocol 50 src
    outside:AA.BB.CC.DD dst inside:WW.XX.YY.ZZ by access-group "inbound"

    Jul 23 21:26:58 pix-535 %PIX-4-106023: Deny udp src
    outside:AA.BB.CC.DD/500 dst inside:WW.XX.YY.ZZ/500 byaccess-group "inbound"

    AA.BB.CC.DD = IP address of outside interface of remote PIX 515E
    WW.XX.YY.ZZ = IP address of my PC

    Since there is no NAT here, the Cisco VPN Client is not negotiating
    NAT-Traversal with remote PIX 515E (it is turned on) and thus not
    encapsulating the IPSec over UDP.

    Is there any way around this problem other than:

    1) allowing udp port 500 and protocol 50 (GRE) to my PC

    2) replacing the remote PIX 515E with a VPN Concentrator which does IPSec
    over UDP even when you're not behind NAT

    Jason Kau, Jul 24, 2003
  2. Are you allowing protocol number 50 or protocol GRE?

    Your post states that you allow protocol 50 (GRE) but
    - protocol id 50 is ESP
    - GRE is protocol id 47
    If your vpn is a PPTP tunnel, you should allow GRE if its an IPSEC tunnel
    you should allow 50


    Marc Van der Sypt, Jul 25, 2003
