Solved

Connecting Cisco vpn client to remote network from behind a pix firewall

Posted on 2007-03-29
18
395 Views
Last Modified: 2010-04-09
Here is the situation:
My client has a network behind an old PIX firewall.  They ftp files to a remote site of one of their vendors.  They only had to use an emulation program (Mochasoft) with the correct ip address to connect.  The vendor has just implemented a new firewall and told my client they had to install the Cisco vpn client to connect to their site before they use the emulation program.  The Cisco vpn client connects to the site, but they cannot use the emulation program or ftp anything.  I noticed the vpn connection receives bytes, but has 0 sent bytes.  The vpn client works from other locations(such as home).  I know the problem must be because of the PIX the vpn client is behind.  Any help is appreciated.
0
Comment
Question by:jdltek
  • 9
  • 8
18 Comments
 

Author Comment

by:jdltek
ID: 18815572
I'm sorry, the vpn client connection sends bytes, but has 0 received bytes.  
Packets "bypassed" shows a constant increase of more than one per second.  
Transparent tunneling: Inactive.  
Local Lan: Disabled.
0
 
LVL 1

Expert Comment

by:fwetzler
ID: 18816639
The Information you gave is not very much.
- is it "split tunnelling" or "full tunnelling"?
- which protocols/ ports are used (e.g. tcp 10000, or udp 4500)
- your PIX (i dont know it): is it able to bypass IKE-Protokol

first suggested action: set the log of the cisco client of all categorys to "high", try a connect and see the Log of the Cisco Client.
its hard to read, but the only way to get information, if you dont have setup the firewall and no possibilities to see the fw-configuration
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18828419
Both your PIX and the remote PIX have to have nat-traversal enabled.

  isakmp nat-traversal 20

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jdltek
ID: 18829573
The PIX is running version 4.3.  I don't see any isakmp commands in the manual.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18830164
Ooooo....ouch. 4.3 does not support nat-traversal...
Your only option is a 1-1 static nat for this client user
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18830171
The other end still has to support nat-t
Is the other end (vpn server end) a PIX FW, or VPN3000 concentrator? Either one needs to be explicitly configured to allow nat-t over UDP.
0
 

Author Comment

by:jdltek
ID: 18830900
I'm pretty sure it is a PIX FW.
0
 

Author Comment

by:jdltek
ID: 18839173
O.K.  The Cisco vpn client is installed on XP behind a PIX firewall (running version 4.3) and is connecting to a VPN3000 on the remote end.  The vpn client does make the connection, but that's about all it does.  They can't ftp, ping or anything else.  The vpn client shows bytes being sent, but not received.  Supposedly Nat transversal is setup on the vpn3000.  Any ideas?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839217
Have you tried a 1-1 static NAT for this PC on your PIX?
0
 

Author Comment

by:jdltek
ID: 18839259
No, can you give me an example of what you are suggesting?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839301
Assuming that you have a spare public IP that you are not using:
  static (inside,outside) <public ip> <PC's IP address> netmask 255.255.255.255 0 0
0
 

Author Comment

by:jdltek
ID: 18839328
I'm not sure how that would help.  Since the client is initiating the remote connection using the vpn3000 ip, how will that work.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839377
Your PIX 4.3 cannot support NAT-T, nor can it do fixup esp.
The client does initiate the connection, and currently uses a dynamic public IP, probably through the overload address. With a 1-1 static nat, the firewall does not have to support the ipsec fixup and the client appears to the vpn3000 as a static public IP address and NAT-T does not have to be negotiated.
0
 

Author Comment

by:jdltek
ID: 18839401
Thank you, I will try that.  Does that compromise the security of the vpn connection or leave that pc open to attacks?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839415
Not at all.
0
 

Author Comment

by:jdltek
ID: 18849846
I am going to try it tonight.  Will I have to use any conduit commands?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18854536
You shouldn't have to use any conduit commands, but if it does not work, you might want to create a conduit to permit "ip" from the VPN server's public IP address to this public IP that you have natted to this PC.
0
 

Author Comment

by:jdltek
ID: 18854656
I just got it to work after putting in the conduit permit "ip" command.  Thanks!!
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Configuring WAN interface on Cisco ASA5525 3 25
Deny permission ACL 16 26
BGP DUAL ISP with IP SLA 10 18
CISCO ASA 5505 double Wan 8 16
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question