remote access from VPN client to pix501 server

Hi friends,

I put pix outside address 192.168.0.4 to DMZ on netgear router  i opened VPN-IPsecUDP 500  on firewall.NOw settings for pix
inside add 192.168.1.1
host   192.168.1.2
outside 192.168.0.3 from DHCP netgear router

do i still need access-list when VPN vizard created tunnel ?On which interface
should i apply access-list?
what pool addresses should be ?


vpn client4.8----cable modem---Internet-----netgearAdslrouter---Pix501---HOST



thanks in advance  
caruliAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stressedout2004Commented:
Assuming default configuration, the only access-list you need is the NAT 0 and split tunneling (optional) access-list.
If you use the PDM VPN wizard, then it will automatically create this access-list for you as long as you provide the necessary parameters that it ask for. So the answer to your question is NO, you don't have to create an access-list when using VPN wizard.

Now for the pool address, you can use any subnet that is not used within the PIX internal network. So in your network, you can use any address outside 192.168.1.0/24, say 192.168.100.1-192.168.100.254.

Also please take note that since the PIX is behind the Netgear, make sure the you have the following on the netgear router:

1)  The PIX outside IP address should have a one is to one NAT mapping. Or if you have no spare public IP address,
you can try port redirecting port UDP 500 and 4500 on the netgear (haven't tried this).

2) Add rule that allows inbound connection to UDP 500,4500 and ESP on the netgear (depending on existing rule)

You have to enable NAT-traversal on the PIX if you choose to do the port redirection.







0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
caruliAuthor Commented:
I did VPN wizard for remote access.still not access .
How i perform a one is to one NAT mapping on outside interface??
I have static public address assign from ISP.

if the port ESP UDP 4500 are not listed in netgear under section firewall,
shall i add them to services ?

i can see public address on pix , the remote user is in but when she type in
start run \\192.68.1.2  she should see my share folders.

i never give up

Any help
0
stressedout2004Commented:
>>>>How i perform a one is to one NAT mapping on outside interface?? I have static public address assign from ISP.

How many public IP address are you getting from your ISP? If you are only getting one public IP address then you can't do one is to one NAT.

>>>> if the port ESP UDP 4500 are not listed in netgear under section firewall, shall i add them to services ?

Yes, just add another custom service. You can add UDP 4500 as a custom service but I don't think Netgear will allow you
to add ESP. ESP is a protocol, unlike tcp and udp it is portless.

>>>> i can see public address on pix , the remote user is in but when she type in start run \\192.68.1.2  she should see my share folders.

In your case, IPSEC will use either ESP or UDP 4500 to pass traffic. So you have to make sure you configure your
Netgear for port redirection on both UDP 500 and UDP 4500. Once you have configured your Netgear to do that,
you have to enable NAT-Traversal on the PIX so it allows you to pass traffic using UDP 4500. To do that on the PIX,
just open the PDM and click Configuration> VPN Tab, under Categories select IKE>Policies and then select "enable NAT traversal" and apply the changes.

Now ask your user to reconnect with the VPN client. Once connected, verify if UDP 4500 is active on the client side.
Just right click on the lock icon of the VPN client on the system tray and click on statistic.  Under Transport, it should say
Transparent Tunneling: Active on UDP 4500.

If this doesn't work, post your PIX configuration so I can verify the config and will go from there.
















0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.