Solved

Connecting Cisco vpn client to remote network from behind a pix firewall

Posted on 2007-03-29
18
397 Views
Last Modified: 2010-04-09
Here is the situation:
My client has a network behind an old PIX firewall.  They ftp files to a remote site of one of their vendors.  They only had to use an emulation program (Mochasoft) with the correct ip address to connect.  The vendor has just implemented a new firewall and told my client they had to install the Cisco vpn client to connect to their site before they use the emulation program.  The Cisco vpn client connects to the site, but they cannot use the emulation program or ftp anything.  I noticed the vpn connection receives bytes, but has 0 sent bytes.  The vpn client works from other locations(such as home).  I know the problem must be because of the PIX the vpn client is behind.  Any help is appreciated.
0
Comment
Question by:jdltek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
18 Comments
 

Author Comment

by:jdltek
ID: 18815572
I'm sorry, the vpn client connection sends bytes, but has 0 received bytes.  
Packets "bypassed" shows a constant increase of more than one per second.  
Transparent tunneling: Inactive.  
Local Lan: Disabled.
0
 
LVL 1

Expert Comment

by:fwetzler
ID: 18816639
The Information you gave is not very much.
- is it "split tunnelling" or "full tunnelling"?
- which protocols/ ports are used (e.g. tcp 10000, or udp 4500)
- your PIX (i dont know it): is it able to bypass IKE-Protokol

first suggested action: set the log of the cisco client of all categorys to "high", try a connect and see the Log of the Cisco Client.
its hard to read, but the only way to get information, if you dont have setup the firewall and no possibilities to see the fw-configuration
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18828419
Both your PIX and the remote PIX have to have nat-traversal enabled.

  isakmp nat-traversal 20

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jdltek
ID: 18829573
The PIX is running version 4.3.  I don't see any isakmp commands in the manual.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18830164
Ooooo....ouch. 4.3 does not support nat-traversal...
Your only option is a 1-1 static nat for this client user
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18830171
The other end still has to support nat-t
Is the other end (vpn server end) a PIX FW, or VPN3000 concentrator? Either one needs to be explicitly configured to allow nat-t over UDP.
0
 

Author Comment

by:jdltek
ID: 18830900
I'm pretty sure it is a PIX FW.
0
 

Author Comment

by:jdltek
ID: 18839173
O.K.  The Cisco vpn client is installed on XP behind a PIX firewall (running version 4.3) and is connecting to a VPN3000 on the remote end.  The vpn client does make the connection, but that's about all it does.  They can't ftp, ping or anything else.  The vpn client shows bytes being sent, but not received.  Supposedly Nat transversal is setup on the vpn3000.  Any ideas?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839217
Have you tried a 1-1 static NAT for this PC on your PIX?
0
 

Author Comment

by:jdltek
ID: 18839259
No, can you give me an example of what you are suggesting?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839301
Assuming that you have a spare public IP that you are not using:
  static (inside,outside) <public ip> <PC's IP address> netmask 255.255.255.255 0 0
0
 

Author Comment

by:jdltek
ID: 18839328
I'm not sure how that would help.  Since the client is initiating the remote connection using the vpn3000 ip, how will that work.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839377
Your PIX 4.3 cannot support NAT-T, nor can it do fixup esp.
The client does initiate the connection, and currently uses a dynamic public IP, probably through the overload address. With a 1-1 static nat, the firewall does not have to support the ipsec fixup and the client appears to the vpn3000 as a static public IP address and NAT-T does not have to be negotiated.
0
 

Author Comment

by:jdltek
ID: 18839401
Thank you, I will try that.  Does that compromise the security of the vpn connection or leave that pc open to attacks?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839415
Not at all.
0
 

Author Comment

by:jdltek
ID: 18849846
I am going to try it tonight.  Will I have to use any conduit commands?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18854536
You shouldn't have to use any conduit commands, but if it does not work, you might want to create a conduit to permit "ip" from the VPN server's public IP address to this public IP that you have natted to this PC.
0
 

Author Comment

by:jdltek
ID: 18854656
I just got it to work after putting in the conduit permit "ip" command.  Thanks!!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question