• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1569
  • Last Modified:

cisco vpn client through 2 firewalls

            Hello all I have a pix 501 firewall running 6.2(2). With easy vpn set(i hope that was te right phrase) up. From home it works fine for me /and everyone else useing it.
              The problem arises when i try doing this from our remote location in Bala. which is behind a firewall with there own natting then connet to ours we cant map to inside address or join domain.
               Now it makes the ipsec sa and all i can see it decapping/endcapping the cisco vpn connection looks fine.
           
0
briankeegan
Asked:
briankeegan
  • 12
  • 6
  • 3
1 Solution
 
grbladesCommented:
Hi briankeegan,
Can you ask them to make sure esp (IP protocol 50) is permitted through their firewall. If it isn't then you will be able to authenticate but not transfer any data.
0
 
briankeeganAuthor Commented:
here in bloomfield we have 2 of our servers static natted to outside public address we can map to those and trasnfer data back to bala, pa. so i assume esp is permitted  know on my side it is
0
 
briankeeganAuthor Commented:
sorry for asking the same types of questions over and over again they must seem quit boreing. i just cant figure out why it works one way then you try it behind a firewall it stop working
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
grbladesCommented:
Can you clarify a few things.

Can you establish a VPN to or from Bala to anywhere else?
Are all your VPN connections IPSEC or PPTP?

You can oviously authenticate to Bala. Can you transfer any data at all such as being able to ping another server?
0
 
briankeeganAuthor Commented:
behind there firewall in bala is shared office space some of them are vpn'ing.
on our firewall here in bloomfield some of them are remote access we have one point to point vpn connection going.
i can ping the outside address that my servers are directly natted to. ie 192.168.30.10  208.xx.xxx.12
0
 
grbladesCommented:
How are you trying to connect to Bala?
Is it a fixed point to point VPN or are you using a client?
Are you using an IPSEC or PPTP VPN?
Where is the VPN server in Bala? Is it behind the firewall or is it the firewall itself?
0
 
briankeeganAuthor Commented:
remotr client from bala to me here in bloomfield we are using ipsec.
the pn server for us her eis a pix firewall it is the same at bala
0
 
grbladesCommented:
So you can use the Cisco VPN client and connect to your office from other locations except Bala.
Is the 'firewall' at Bala you refer to the PIX?
What internal IP address ranges are you using in your office and at Bala?
If you establish a VPN and try connecting what is shown in the logs at your office PIX?
0
 
briankeeganAuthor Commented:
the firewal at bala and bloomfield are both pix. the address range for here is 192.168.200.*  the pdm shows thaey are connected and de/end capping and connected as well as ike sa is qm_idle just like the other person connected to us.

i was thinking that sence we have 6.2 and not 6.3 nat transparency wont work hence no dubble natting but i am not sure if that is true.
0
 
grbladesCommented:
I am not sure about the nat transparency issue. I think the best person to ask would be 'lrmoore'. I don't think he monitors this section as much as he does some others so you might want to find a recent topic he has posted a comment in and ask him to have a look at yours.
0
 
briankeeganAuthor Commented:
ok thank you kindley
0
 
briankeeganAuthor Commented:
how do i go about asking him? I never did that before and am not sure if that is a breach of Etiquette
0
 
grbladesCommented:
i'll post at he question shown below and ask him to have a look.
http://www.experts-exchange.com/Networking/Q_21087619.html
0
 
briankeeganAuthor Commented:
thank you very much
0
 
lrmooreCommented:
Highly suggest upgrading to 6.3(4) to get the nat-transparency feature. This would be required in Bala, but not necessarily in Bloomfield.
If the PIX in bala is not a VPN endpoint, then you can look at enabling fixup protocol esp-ike
0
 
briankeeganAuthor Commented:
thank you allot. is there any way to know for sure if htis is a nat transparency issue or some thing else? I am in the process of battling the evil bean counters to buy a smartnet contract for the pix so i can get this but they are being cheep.
0
 
briankeeganAuthor Commented:
please how do you enable fixup protocol esp-ike?

----thanks
            Briank Keegan
0
 
lrmooreCommented:
pixfirewall(config)#fixup protocol esp-ike

If you can answer one question, then we can nail it down to a nat transparency issue.
If there is only one IP address, and the pix is configured to use the interface for nat, as:
global (outside) 1 interface

Then it is without doubt a nat transparency issue.
0
 
briankeeganAuthor Commented:
i tried that command and it does not work. maybe because it coes with the 6.3?
and our outside interface says global (outside) 10 interface we only use one ip address for it.
0
 
lrmooreCommented:
You need 6.3
0
 
briankeeganAuthor Commented:
ok thank you. now seing as it is also a end point going to another another vpn will that cause issues if we use pixfirewall(config)#fixup protocol esp-ike?

thanks again i guess this also counts as the solution also sorry for asking so many vpn questions I seem to be learning on the fly

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 12
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now