Solved

cisco vpn client through 2 firewalls

Posted on 2004-08-11
21
1,525 Views
Last Modified: 2008-02-26
            Hello all I have a pix 501 firewall running 6.2(2). With easy vpn set(i hope that was te right phrase) up. From home it works fine for me /and everyone else useing it.
              The problem arises when i try doing this from our remote location in Bala. which is behind a firewall with there own natting then connet to ours we cant map to inside address or join domain.
               Now it makes the ipsec sa and all i can see it decapping/endcapping the cisco vpn connection looks fine.
           
0
Comment
Question by:briankeegan
  • 12
  • 6
  • 3
21 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11776204
Hi briankeegan,
Can you ask them to make sure esp (IP protocol 50) is permitted through their firewall. If it isn't then you will be able to authenticate but not transfer any data.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11776387
here in bloomfield we have 2 of our servers static natted to outside public address we can map to those and trasnfer data back to bala, pa. so i assume esp is permitted  know on my side it is
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11784940
sorry for asking the same types of questions over and over again they must seem quit boreing. i just cant figure out why it works one way then you try it behind a firewall it stop working
0
 
LVL 36

Expert Comment

by:grblades
ID: 11785842
Can you clarify a few things.

Can you establish a VPN to or from Bala to anywhere else?
Are all your VPN connections IPSEC or PPTP?

You can oviously authenticate to Bala. Can you transfer any data at all such as being able to ping another server?
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786157
behind there firewall in bala is shared office space some of them are vpn'ing.
on our firewall here in bloomfield some of them are remote access we have one point to point vpn connection going.
i can ping the outside address that my servers are directly natted to. ie 192.168.30.10  208.xx.xxx.12
0
 
LVL 36

Expert Comment

by:grblades
ID: 11786255
How are you trying to connect to Bala?
Is it a fixed point to point VPN or are you using a client?
Are you using an IPSEC or PPTP VPN?
Where is the VPN server in Bala? Is it behind the firewall or is it the firewall itself?
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786275
remotr client from bala to me here in bloomfield we are using ipsec.
the pn server for us her eis a pix firewall it is the same at bala
0
 
LVL 36

Expert Comment

by:grblades
ID: 11786429
So you can use the Cisco VPN client and connect to your office from other locations except Bala.
Is the 'firewall' at Bala you refer to the PIX?
What internal IP address ranges are you using in your office and at Bala?
If you establish a VPN and try connecting what is shown in the logs at your office PIX?
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786686
the firewal at bala and bloomfield are both pix. the address range for here is 192.168.200.*  the pdm shows thaey are connected and de/end capping and connected as well as ike sa is qm_idle just like the other person connected to us.

i was thinking that sence we have 6.2 and not 6.3 nat transparency wont work hence no dubble natting but i am not sure if that is true.
0
 
LVL 36

Expert Comment

by:grblades
ID: 11786757
I am not sure about the nat transparency issue. I think the best person to ask would be 'lrmoore'. I don't think he monitors this section as much as he does some others so you might want to find a recent topic he has posted a comment in and ask him to have a look at yours.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Author Comment

by:briankeegan
ID: 11786973
ok thank you kindley
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11787179
how do i go about asking him? I never did that before and am not sure if that is a breach of Etiquette
0
 
LVL 36

Expert Comment

by:grblades
ID: 11787206
i'll post at he question shown below and ask him to have a look.
http://www.experts-exchange.com/Networking/Q_21087619.html
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11787218
thank you very much
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11788093
Highly suggest upgrading to 6.3(4) to get the nat-transparency feature. This would be required in Bala, but not necessarily in Bloomfield.
If the PIX in bala is not a VPN endpoint, then you can look at enabling fixup protocol esp-ike
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11788123
thank you allot. is there any way to know for sure if htis is a nat transparency issue or some thing else? I am in the process of battling the evil bean counters to buy a smartnet contract for the pix so i can get this but they are being cheep.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11788342
please how do you enable fixup protocol esp-ike?

----thanks
            Briank Keegan
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11789213
pixfirewall(config)#fixup protocol esp-ike

If you can answer one question, then we can nail it down to a nat transparency issue.
If there is only one IP address, and the pix is configured to use the interface for nat, as:
global (outside) 1 interface

Then it is without doubt a nat transparency issue.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11793840
i tried that command and it does not work. maybe because it coes with the 6.3?
and our outside interface says global (outside) 10 interface we only use one ip address for it.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11793920
You need 6.3
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11794094
ok thank you. now seing as it is also a end point going to another another vpn will that cause issues if we use pixfirewall(config)#fixup protocol esp-ike?

thanks again i guess this also counts as the solution also sorry for asking so many vpn questions I seem to be learning on the fly

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now