[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

remote access from VPN client to pix501 server

Posted on 2006-04-14
5
Medium Priority
?
247 Views
Last Modified: 2013-11-16
Hi friends,

I put pix outside address 192.168.0.4 to DMZ on netgear router  i opened VPN-IPsecUDP 500  on firewall.NOw settings for pix
inside add 192.168.1.1
host   192.168.1.2
outside 192.168.0.3 from DHCP netgear router

do i still need access-list when VPN vizard created tunnel ?On which interface
should i apply access-list?
what pool addresses should be ?


vpn client4.8----cable modem---Internet-----netgearAdslrouter---Pix501---HOST



thanks in advance  
0
Comment
Question by:caruli
  • 2
3 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 2000 total points
ID: 16453628
Assuming default configuration, the only access-list you need is the NAT 0 and split tunneling (optional) access-list.
If you use the PDM VPN wizard, then it will automatically create this access-list for you as long as you provide the necessary parameters that it ask for. So the answer to your question is NO, you don't have to create an access-list when using VPN wizard.

Now for the pool address, you can use any subnet that is not used within the PIX internal network. So in your network, you can use any address outside 192.168.1.0/24, say 192.168.100.1-192.168.100.254.

Also please take note that since the PIX is behind the Netgear, make sure the you have the following on the netgear router:

1)  The PIX outside IP address should have a one is to one NAT mapping. Or if you have no spare public IP address,
you can try port redirecting port UDP 500 and 4500 on the netgear (haven't tried this).

2) Add rule that allows inbound connection to UDP 500,4500 and ESP on the netgear (depending on existing rule)

You have to enable NAT-traversal on the PIX if you choose to do the port redirection.







0
 

Author Comment

by:caruli
ID: 16455801
I did VPN wizard for remote access.still not access .
How i perform a one is to one NAT mapping on outside interface??
I have static public address assign from ISP.

if the port ESP UDP 4500 are not listed in netgear under section firewall,
shall i add them to services ?

i can see public address on pix , the remote user is in but when she type in
start run \\192.68.1.2  she should see my share folders.

i never give up

Any help
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16460985
>>>>How i perform a one is to one NAT mapping on outside interface?? I have static public address assign from ISP.

How many public IP address are you getting from your ISP? If you are only getting one public IP address then you can't do one is to one NAT.

>>>> if the port ESP UDP 4500 are not listed in netgear under section firewall, shall i add them to services ?

Yes, just add another custom service. You can add UDP 4500 as a custom service but I don't think Netgear will allow you
to add ESP. ESP is a protocol, unlike tcp and udp it is portless.

>>>> i can see public address on pix , the remote user is in but when she type in start run \\192.68.1.2  she should see my share folders.

In your case, IPSEC will use either ESP or UDP 4500 to pass traffic. So you have to make sure you configure your
Netgear for port redirection on both UDP 500 and UDP 4500. Once you have configured your Netgear to do that,
you have to enable NAT-Traversal on the PIX so it allows you to pass traffic using UDP 4500. To do that on the PIX,
just open the PDM and click Configuration> VPN Tab, under Categories select IKE>Policies and then select "enable NAT traversal" and apply the changes.

Now ask your user to reconnect with the VPN client. Once connected, verify if UDP 4500 is active on the client side.
Just right click on the lock icon of the VPN client on the system tray and click on statistic.  Under Transport, it should say
Transparent Tunneling: Active on UDP 4500.

If this doesn't work, post your PIX configuration so I can verify the config and will go from there.
















0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question