Learn how to a build a cloud-first strategyRegister Now


Cannoth establish UDP VPN connections from behind pix 501

Posted on 2005-05-15
Medium Priority
Last Modified: 2008-03-17
My setup is as follows:
  Linksys router connected to Cable modem
   port 80 forwards to my web server
  vpn passthrough enabled
  default route for web server goes through Linksys router

PIX 501 behind Linksys
  All computer clients connected to the PIX.
Using Cisco VPN client 4.6.0049

  I can establish both UDP and TCP VPN connections from my web server through the Linksys
  I can establish TCP VPN connections from behind the PIX
  I CANNOT establish UDP VPN connections from behind the PIX.

Here is my config Thanks in advance!

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

Question by:pHOdAT
  • 3
  • 2
LVL 79

Accepted Solution

lrmoore earned 1050 total points
ID: 14006540
Do you have the PIX outside IP as the DMZ host?
What function is the Linksys providing beyond what the PIX itself can provide? I would say to take the Linksys completely out of the picture and try just putting the PIX on a public IP on the outside, forward port 80 to your web server and protect all clients this way.

>isakmp nat-traversal 20
That command already in your PIX is what enables use of UDP, so there is nothing wrong with your PIX config.

Author Comment

ID: 14011732
OK, I have removed the linksys totally and re cabled my network to go out the pix. I just shut down the web server for now just as a test. I am still having the same problem. I can VPN over TCP but cannot over UDP. Aaahhhh!

Author Comment

ID: 14011883
I believe I have found the answer from another one of your posts. I had to add fixup protocol esp-ike to my config and she worked like a charm. I am going to try and cable my network the way it was before to see if it will work.

Author Comment

ID: 14011940
after recabling my network using the Linksys as my internet gateway. All is still working. Looks like the fixup protocol command was the missing link. Thanks!
LVL 79

Expert Comment

ID: 14012721
Good job!

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question