?
Solved

Connecting Cisco vpn client to remote network from behind a pix firewall

Posted on 2007-03-29
18
Medium Priority
?
400 Views
Last Modified: 2010-04-09
Here is the situation:
My client has a network behind an old PIX firewall.  They ftp files to a remote site of one of their vendors.  They only had to use an emulation program (Mochasoft) with the correct ip address to connect.  The vendor has just implemented a new firewall and told my client they had to install the Cisco vpn client to connect to their site before they use the emulation program.  The Cisco vpn client connects to the site, but they cannot use the emulation program or ftp anything.  I noticed the vpn connection receives bytes, but has 0 sent bytes.  The vpn client works from other locations(such as home).  I know the problem must be because of the PIX the vpn client is behind.  Any help is appreciated.
0
Comment
Question by:jdltek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
18 Comments
 

Author Comment

by:jdltek
ID: 18815572
I'm sorry, the vpn client connection sends bytes, but has 0 received bytes.  
Packets "bypassed" shows a constant increase of more than one per second.  
Transparent tunneling: Inactive.  
Local Lan: Disabled.
0
 
LVL 1

Expert Comment

by:fwetzler
ID: 18816639
The Information you gave is not very much.
- is it "split tunnelling" or "full tunnelling"?
- which protocols/ ports are used (e.g. tcp 10000, or udp 4500)
- your PIX (i dont know it): is it able to bypass IKE-Protokol

first suggested action: set the log of the cisco client of all categorys to "high", try a connect and see the Log of the Cisco Client.
its hard to read, but the only way to get information, if you dont have setup the firewall and no possibilities to see the fw-configuration
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18828419
Both your PIX and the remote PIX have to have nat-traversal enabled.

  isakmp nat-traversal 20

0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 

Author Comment

by:jdltek
ID: 18829573
The PIX is running version 4.3.  I don't see any isakmp commands in the manual.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18830164
Ooooo....ouch. 4.3 does not support nat-traversal...
Your only option is a 1-1 static nat for this client user
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18830171
The other end still has to support nat-t
Is the other end (vpn server end) a PIX FW, or VPN3000 concentrator? Either one needs to be explicitly configured to allow nat-t over UDP.
0
 

Author Comment

by:jdltek
ID: 18830900
I'm pretty sure it is a PIX FW.
0
 

Author Comment

by:jdltek
ID: 18839173
O.K.  The Cisco vpn client is installed on XP behind a PIX firewall (running version 4.3) and is connecting to a VPN3000 on the remote end.  The vpn client does make the connection, but that's about all it does.  They can't ftp, ping or anything else.  The vpn client shows bytes being sent, but not received.  Supposedly Nat transversal is setup on the vpn3000.  Any ideas?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839217
Have you tried a 1-1 static NAT for this PC on your PIX?
0
 

Author Comment

by:jdltek
ID: 18839259
No, can you give me an example of what you are suggesting?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839301
Assuming that you have a spare public IP that you are not using:
  static (inside,outside) <public ip> <PC's IP address> netmask 255.255.255.255 0 0
0
 

Author Comment

by:jdltek
ID: 18839328
I'm not sure how that would help.  Since the client is initiating the remote connection using the vpn3000 ip, how will that work.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839377
Your PIX 4.3 cannot support NAT-T, nor can it do fixup esp.
The client does initiate the connection, and currently uses a dynamic public IP, probably through the overload address. With a 1-1 static nat, the firewall does not have to support the ipsec fixup and the client appears to the vpn3000 as a static public IP address and NAT-T does not have to be negotiated.
0
 

Author Comment

by:jdltek
ID: 18839401
Thank you, I will try that.  Does that compromise the security of the vpn connection or leave that pc open to attacks?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839415
Not at all.
0
 

Author Comment

by:jdltek
ID: 18849846
I am going to try it tonight.  Will I have to use any conduit commands?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 18854536
You shouldn't have to use any conduit commands, but if it does not work, you might want to create a conduit to permit "ip" from the VPN server's public IP address to this public IP that you have natted to this PC.
0
 

Author Comment

by:jdltek
ID: 18854656
I just got it to work after putting in the conduit permit "ip" command.  Thanks!!
0

Featured Post

Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question