Solved

cisco vpn client through 2 firewalls

Posted on 2004-08-11
21
1,546 Views
Last Modified: 2008-02-26
            Hello all I have a pix 501 firewall running 6.2(2). With easy vpn set(i hope that was te right phrase) up. From home it works fine for me /and everyone else useing it.
              The problem arises when i try doing this from our remote location in Bala. which is behind a firewall with there own natting then connet to ours we cant map to inside address or join domain.
               Now it makes the ipsec sa and all i can see it decapping/endcapping the cisco vpn connection looks fine.
           
0
Comment
Question by:briankeegan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 6
  • 3
21 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11776204
Hi briankeegan,
Can you ask them to make sure esp (IP protocol 50) is permitted through their firewall. If it isn't then you will be able to authenticate but not transfer any data.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11776387
here in bloomfield we have 2 of our servers static natted to outside public address we can map to those and trasnfer data back to bala, pa. so i assume esp is permitted  know on my side it is
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11784940
sorry for asking the same types of questions over and over again they must seem quit boreing. i just cant figure out why it works one way then you try it behind a firewall it stop working
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 36

Expert Comment

by:grblades
ID: 11785842
Can you clarify a few things.

Can you establish a VPN to or from Bala to anywhere else?
Are all your VPN connections IPSEC or PPTP?

You can oviously authenticate to Bala. Can you transfer any data at all such as being able to ping another server?
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786157
behind there firewall in bala is shared office space some of them are vpn'ing.
on our firewall here in bloomfield some of them are remote access we have one point to point vpn connection going.
i can ping the outside address that my servers are directly natted to. ie 192.168.30.10  208.xx.xxx.12
0
 
LVL 36

Expert Comment

by:grblades
ID: 11786255
How are you trying to connect to Bala?
Is it a fixed point to point VPN or are you using a client?
Are you using an IPSEC or PPTP VPN?
Where is the VPN server in Bala? Is it behind the firewall or is it the firewall itself?
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786275
remotr client from bala to me here in bloomfield we are using ipsec.
the pn server for us her eis a pix firewall it is the same at bala
0
 
LVL 36

Expert Comment

by:grblades
ID: 11786429
So you can use the Cisco VPN client and connect to your office from other locations except Bala.
Is the 'firewall' at Bala you refer to the PIX?
What internal IP address ranges are you using in your office and at Bala?
If you establish a VPN and try connecting what is shown in the logs at your office PIX?
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786686
the firewal at bala and bloomfield are both pix. the address range for here is 192.168.200.*  the pdm shows thaey are connected and de/end capping and connected as well as ike sa is qm_idle just like the other person connected to us.

i was thinking that sence we have 6.2 and not 6.3 nat transparency wont work hence no dubble natting but i am not sure if that is true.
0
 
LVL 36

Expert Comment

by:grblades
ID: 11786757
I am not sure about the nat transparency issue. I think the best person to ask would be 'lrmoore'. I don't think he monitors this section as much as he does some others so you might want to find a recent topic he has posted a comment in and ask him to have a look at yours.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11786973
ok thank you kindley
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11787179
how do i go about asking him? I never did that before and am not sure if that is a breach of Etiquette
0
 
LVL 36

Expert Comment

by:grblades
ID: 11787206
i'll post at he question shown below and ask him to have a look.
http://www.experts-exchange.com/Networking/Q_21087619.html
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11787218
thank you very much
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11788093
Highly suggest upgrading to 6.3(4) to get the nat-transparency feature. This would be required in Bala, but not necessarily in Bloomfield.
If the PIX in bala is not a VPN endpoint, then you can look at enabling fixup protocol esp-ike
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11788123
thank you allot. is there any way to know for sure if htis is a nat transparency issue or some thing else? I am in the process of battling the evil bean counters to buy a smartnet contract for the pix so i can get this but they are being cheep.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11788342
please how do you enable fixup protocol esp-ike?

----thanks
            Briank Keegan
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11789213
pixfirewall(config)#fixup protocol esp-ike

If you can answer one question, then we can nail it down to a nat transparency issue.
If there is only one IP address, and the pix is configured to use the interface for nat, as:
global (outside) 1 interface

Then it is without doubt a nat transparency issue.
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11793840
i tried that command and it does not work. maybe because it coes with the 6.3?
and our outside interface says global (outside) 10 interface we only use one ip address for it.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11793920
You need 6.3
0
 
LVL 1

Author Comment

by:briankeegan
ID: 11794094
ok thank you. now seing as it is also a end point going to another another vpn will that cause issues if we use pixfirewall(config)#fixup protocol esp-ike?

thanks again i guess this also counts as the solution also sorry for asking so many vpn questions I seem to be learning on the fly

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
windows firewall + remote registry/ system 8 33
Cisco AnyConnect VPN 4 37
X.509 Cert Upload to Cisco WAP 6 50
Dell SonicWall Connection 18 46
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question