Solved

cisco vpn client through 2 firewalls

Posted on 2004-08-11
21
1,520 Views
Last Modified: 2008-02-26
            Hello all I have a pix 501 firewall running 6.2(2). With easy vpn set(i hope that was te right phrase) up. From home it works fine for me /and everyone else useing it.
              The problem arises when i try doing this from our remote location in Bala. which is behind a firewall with there own natting then connet to ours we cant map to inside address or join domain.
               Now it makes the ipsec sa and all i can see it decapping/endcapping the cisco vpn connection looks fine.
           
0
Comment
Question by:briankeegan
  • 12
  • 6
  • 3
21 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11776204
Hi briankeegan,
Can you ask them to make sure esp (IP protocol 50) is permitted through their firewall. If it isn't then you will be able to authenticate but not transfer any data.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11776387
here in bloomfield we have 2 of our servers static natted to outside public address we can map to those and trasnfer data back to bala, pa. so i assume esp is permitted  know on my side it is
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11784940
sorry for asking the same types of questions over and over again they must seem quit boreing. i just cant figure out why it works one way then you try it behind a firewall it stop working
0
 
LVL 36

Expert Comment

by:grblades
ID: 11785842
Can you clarify a few things.

Can you establish a VPN to or from Bala to anywhere else?
Are all your VPN connections IPSEC or PPTP?

You can oviously authenticate to Bala. Can you transfer any data at all such as being able to ping another server?
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786157
behind there firewall in bala is shared office space some of them are vpn'ing.
on our firewall here in bloomfield some of them are remote access we have one point to point vpn connection going.
i can ping the outside address that my servers are directly natted to. ie 192.168.30.10  208.xx.xxx.12
0
 
LVL 36

Expert Comment

by:grblades
ID: 11786255
How are you trying to connect to Bala?
Is it a fixed point to point VPN or are you using a client?
Are you using an IPSEC or PPTP VPN?
Where is the VPN server in Bala? Is it behind the firewall or is it the firewall itself?
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786275
remotr client from bala to me here in bloomfield we are using ipsec.
the pn server for us her eis a pix firewall it is the same at bala
0
 
LVL 36

Expert Comment

by:grblades
ID: 11786429
So you can use the Cisco VPN client and connect to your office from other locations except Bala.
Is the 'firewall' at Bala you refer to the PIX?
What internal IP address ranges are you using in your office and at Bala?
If you establish a VPN and try connecting what is shown in the logs at your office PIX?
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786686
the firewal at bala and bloomfield are both pix. the address range for here is 192.168.200.*  the pdm shows thaey are connected and de/end capping and connected as well as ike sa is qm_idle just like the other person connected to us.

i was thinking that sence we have 6.2 and not 6.3 nat transparency wont work hence no dubble natting but i am not sure if that is true.
0
 
LVL 36

Expert Comment

by:grblades
ID: 11786757
I am not sure about the nat transparency issue. I think the best person to ask would be 'lrmoore'. I don't think he monitors this section as much as he does some others so you might want to find a recent topic he has posted a comment in and ask him to have a look at yours.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:briankeegan
ID: 11786973
ok thank you kindley
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11787179
how do i go about asking him? I never did that before and am not sure if that is a breach of Etiquette
0
 
LVL 36

Expert Comment

by:grblades
ID: 11787206
i'll post at he question shown below and ask him to have a look.
http://www.experts-exchange.com/Networking/Q_21087619.html
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11787218
thank you very much
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11788093
Highly suggest upgrading to 6.3(4) to get the nat-transparency feature. This would be required in Bala, but not necessarily in Bloomfield.
If the PIX in bala is not a VPN endpoint, then you can look at enabling fixup protocol esp-ike
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11788123
thank you allot. is there any way to know for sure if htis is a nat transparency issue or some thing else? I am in the process of battling the evil bean counters to buy a smartnet contract for the pix so i can get this but they are being cheep.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11788342
please how do you enable fixup protocol esp-ike?

----thanks
            Briank Keegan
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11789213
pixfirewall(config)#fixup protocol esp-ike

If you can answer one question, then we can nail it down to a nat transparency issue.
If there is only one IP address, and the pix is configured to use the interface for nat, as:
global (outside) 1 interface

Then it is without doubt a nat transparency issue.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11793840
i tried that command and it does not work. maybe because it coes with the 6.3?
and our outside interface says global (outside) 10 interface we only use one ip address for it.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11793920
You need 6.3
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11794094
ok thank you. now seing as it is also a end point going to another another vpn will that cause issues if we use pixfirewall(config)#fixup protocol esp-ike?

thanks again i guess this also counts as the solution also sorry for asking so many vpn questions I seem to be learning on the fly

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now