Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

cisco vpn client through 2 firewalls

Posted on 2004-08-11
21
Medium Priority
?
1,560 Views
Last Modified: 2008-02-26
            Hello all I have a pix 501 firewall running 6.2(2). With easy vpn set(i hope that was te right phrase) up. From home it works fine for me /and everyone else useing it.
              The problem arises when i try doing this from our remote location in Bala. which is behind a firewall with there own natting then connet to ours we cant map to inside address or join domain.
               Now it makes the ipsec sa and all i can see it decapping/endcapping the cisco vpn connection looks fine.
           
0
Comment
Question by:briankeegan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 6
  • 3
21 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11776204
Hi briankeegan,
Can you ask them to make sure esp (IP protocol 50) is permitted through their firewall. If it isn't then you will be able to authenticate but not transfer any data.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11776387
here in bloomfield we have 2 of our servers static natted to outside public address we can map to those and trasnfer data back to bala, pa. so i assume esp is permitted  know on my side it is
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11784940
sorry for asking the same types of questions over and over again they must seem quit boreing. i just cant figure out why it works one way then you try it behind a firewall it stop working
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 36

Expert Comment

by:grblades
ID: 11785842
Can you clarify a few things.

Can you establish a VPN to or from Bala to anywhere else?
Are all your VPN connections IPSEC or PPTP?

You can oviously authenticate to Bala. Can you transfer any data at all such as being able to ping another server?
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786157
behind there firewall in bala is shared office space some of them are vpn'ing.
on our firewall here in bloomfield some of them are remote access we have one point to point vpn connection going.
i can ping the outside address that my servers are directly natted to. ie 192.168.30.10  208.xx.xxx.12
0
 
LVL 36

Expert Comment

by:grblades
ID: 11786255
How are you trying to connect to Bala?
Is it a fixed point to point VPN or are you using a client?
Are you using an IPSEC or PPTP VPN?
Where is the VPN server in Bala? Is it behind the firewall or is it the firewall itself?
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786275
remotr client from bala to me here in bloomfield we are using ipsec.
the pn server for us her eis a pix firewall it is the same at bala
0
 
LVL 36

Expert Comment

by:grblades
ID: 11786429
So you can use the Cisco VPN client and connect to your office from other locations except Bala.
Is the 'firewall' at Bala you refer to the PIX?
What internal IP address ranges are you using in your office and at Bala?
If you establish a VPN and try connecting what is shown in the logs at your office PIX?
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786686
the firewal at bala and bloomfield are both pix. the address range for here is 192.168.200.*  the pdm shows thaey are connected and de/end capping and connected as well as ike sa is qm_idle just like the other person connected to us.

i was thinking that sence we have 6.2 and not 6.3 nat transparency wont work hence no dubble natting but i am not sure if that is true.
0
 
LVL 36

Expert Comment

by:grblades
ID: 11786757
I am not sure about the nat transparency issue. I think the best person to ask would be 'lrmoore'. I don't think he monitors this section as much as he does some others so you might want to find a recent topic he has posted a comment in and ask him to have a look at yours.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786973
ok thank you kindley
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11787179
how do i go about asking him? I never did that before and am not sure if that is a breach of Etiquette
0
 
LVL 36

Expert Comment

by:grblades
ID: 11787206
i'll post at he question shown below and ask him to have a look.
http://www.experts-exchange.com/Networking/Q_21087619.html
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11787218
thank you very much
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11788093
Highly suggest upgrading to 6.3(4) to get the nat-transparency feature. This would be required in Bala, but not necessarily in Bloomfield.
If the PIX in bala is not a VPN endpoint, then you can look at enabling fixup protocol esp-ike
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11788123
thank you allot. is there any way to know for sure if htis is a nat transparency issue or some thing else? I am in the process of battling the evil bean counters to buy a smartnet contract for the pix so i can get this but they are being cheep.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11788342
please how do you enable fixup protocol esp-ike?

----thanks
            Briank Keegan
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11789213
pixfirewall(config)#fixup protocol esp-ike

If you can answer one question, then we can nail it down to a nat transparency issue.
If there is only one IP address, and the pix is configured to use the interface for nat, as:
global (outside) 1 interface

Then it is without doubt a nat transparency issue.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11793840
i tried that command and it does not work. maybe because it coes with the 6.3?
and our outside interface says global (outside) 10 interface we only use one ip address for it.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 11793920
You need 6.3
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11794094
ok thank you. now seing as it is also a end point going to another another vpn will that cause issues if we use pixfirewall(config)#fixup protocol esp-ike?

thanks again i guess this also counts as the solution also sorry for asking so many vpn questions I seem to be learning on the fly

0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question