caruli
asked on
remote access from VPN client to pix501 server
Hi friends,
I put pix outside address 192.168.0.4 to DMZ on netgear router i opened VPN-IPsecUDP 500 on firewall.NOw settings for pix
inside add 192.168.1.1
host 192.168.1.2
outside 192.168.0.3 from DHCP netgear router
do i still need access-list when VPN vizard created tunnel ?On which interface
should i apply access-list?
what pool addresses should be ?
vpn client4.8----cable modem---Internet-----netge
thanks in advance
I put pix outside address 192.168.0.4 to DMZ on netgear router i opened VPN-IPsecUDP 500 on firewall.NOw settings for pix
inside add 192.168.1.1
host 192.168.1.2
outside 192.168.0.3 from DHCP netgear router
do i still need access-list when VPN vizard created tunnel ?On which interface
should i apply access-list?
what pool addresses should be ?
vpn client4.8----cable modem---Internet-----netge
thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>>>How i perform a one is to one NAT mapping on outside interface?? I have static public address assign from ISP.
How many public IP address are you getting from your ISP? If you are only getting one public IP address then you can't do one is to one NAT.
>>>> if the port ESP UDP 4500 are not listed in netgear under section firewall, shall i add them to services ?
Yes, just add another custom service. You can add UDP 4500 as a custom service but I don't think Netgear will allow you
to add ESP. ESP is a protocol, unlike tcp and udp it is portless.
>>>> i can see public address on pix , the remote user is in but when she type in start run \\192.68.1.2 she should see my share folders.
In your case, IPSEC will use either ESP or UDP 4500 to pass traffic. So you have to make sure you configure your
Netgear for port redirection on both UDP 500 and UDP 4500. Once you have configured your Netgear to do that,
you have to enable NAT-Traversal on the PIX so it allows you to pass traffic using UDP 4500. To do that on the PIX,
just open the PDM and click Configuration> VPN Tab, under Categories select IKE>Policies and then select "enable NAT traversal" and apply the changes.
Now ask your user to reconnect with the VPN client. Once connected, verify if UDP 4500 is active on the client side.
Just right click on the lock icon of the VPN client on the system tray and click on statistic. Under Transport, it should say
Transparent Tunneling: Active on UDP 4500.
If this doesn't work, post your PIX configuration so I can verify the config and will go from there.
How many public IP address are you getting from your ISP? If you are only getting one public IP address then you can't do one is to one NAT.
>>>> if the port ESP UDP 4500 are not listed in netgear under section firewall, shall i add them to services ?
Yes, just add another custom service. You can add UDP 4500 as a custom service but I don't think Netgear will allow you
to add ESP. ESP is a protocol, unlike tcp and udp it is portless.
>>>> i can see public address on pix , the remote user is in but when she type in start run \\192.68.1.2 she should see my share folders.
In your case, IPSEC will use either ESP or UDP 4500 to pass traffic. So you have to make sure you configure your
Netgear for port redirection on both UDP 500 and UDP 4500. Once you have configured your Netgear to do that,
you have to enable NAT-Traversal on the PIX so it allows you to pass traffic using UDP 4500. To do that on the PIX,
just open the PDM and click Configuration> VPN Tab, under Categories select IKE>Policies and then select "enable NAT traversal" and apply the changes.
Now ask your user to reconnect with the VPN client. Once connected, verify if UDP 4500 is active on the client side.
Just right click on the lock icon of the VPN client on the system tray and click on statistic. Under Transport, it should say
Transparent Tunneling: Active on UDP 4500.
If this doesn't work, post your PIX configuration so I can verify the config and will go from there.
ASKER
How i perform a one is to one NAT mapping on outside interface??
I have static public address assign from ISP.
if the port ESP UDP 4500 are not listed in netgear under section firewall,
shall i add them to services ?
i can see public address on pix , the remote user is in but when she type in
start run \\192.68.1.2 she should see my share folders.
i never give up
Any help