Solved

Connecting Cisco vpn client to remote network from behind a pix firewall

Posted on 2007-03-29
18
390 Views
Last Modified: 2010-04-09
Here is the situation:
My client has a network behind an old PIX firewall.  They ftp files to a remote site of one of their vendors.  They only had to use an emulation program (Mochasoft) with the correct ip address to connect.  The vendor has just implemented a new firewall and told my client they had to install the Cisco vpn client to connect to their site before they use the emulation program.  The Cisco vpn client connects to the site, but they cannot use the emulation program or ftp anything.  I noticed the vpn connection receives bytes, but has 0 sent bytes.  The vpn client works from other locations(such as home).  I know the problem must be because of the PIX the vpn client is behind.  Any help is appreciated.
0
Comment
Question by:jdltek
  • 9
  • 8
18 Comments
 

Author Comment

by:jdltek
ID: 18815572
I'm sorry, the vpn client connection sends bytes, but has 0 received bytes.  
Packets "bypassed" shows a constant increase of more than one per second.  
Transparent tunneling: Inactive.  
Local Lan: Disabled.
0
 
LVL 1

Expert Comment

by:fwetzler
ID: 18816639
The Information you gave is not very much.
- is it "split tunnelling" or "full tunnelling"?
- which protocols/ ports are used (e.g. tcp 10000, or udp 4500)
- your PIX (i dont know it): is it able to bypass IKE-Protokol

first suggested action: set the log of the cisco client of all categorys to "high", try a connect and see the Log of the Cisco Client.
its hard to read, but the only way to get information, if you dont have setup the firewall and no possibilities to see the fw-configuration
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18828419
Both your PIX and the remote PIX have to have nat-traversal enabled.

  isakmp nat-traversal 20

0
 

Author Comment

by:jdltek
ID: 18829573
The PIX is running version 4.3.  I don't see any isakmp commands in the manual.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18830164
Ooooo....ouch. 4.3 does not support nat-traversal...
Your only option is a 1-1 static nat for this client user
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18830171
The other end still has to support nat-t
Is the other end (vpn server end) a PIX FW, or VPN3000 concentrator? Either one needs to be explicitly configured to allow nat-t over UDP.
0
 

Author Comment

by:jdltek
ID: 18830900
I'm pretty sure it is a PIX FW.
0
 

Author Comment

by:jdltek
ID: 18839173
O.K.  The Cisco vpn client is installed on XP behind a PIX firewall (running version 4.3) and is connecting to a VPN3000 on the remote end.  The vpn client does make the connection, but that's about all it does.  They can't ftp, ping or anything else.  The vpn client shows bytes being sent, but not received.  Supposedly Nat transversal is setup on the vpn3000.  Any ideas?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839217
Have you tried a 1-1 static NAT for this PC on your PIX?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:jdltek
ID: 18839259
No, can you give me an example of what you are suggesting?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839301
Assuming that you have a spare public IP that you are not using:
  static (inside,outside) <public ip> <PC's IP address> netmask 255.255.255.255 0 0
0
 

Author Comment

by:jdltek
ID: 18839328
I'm not sure how that would help.  Since the client is initiating the remote connection using the vpn3000 ip, how will that work.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839377
Your PIX 4.3 cannot support NAT-T, nor can it do fixup esp.
The client does initiate the connection, and currently uses a dynamic public IP, probably through the overload address. With a 1-1 static nat, the firewall does not have to support the ipsec fixup and the client appears to the vpn3000 as a static public IP address and NAT-T does not have to be negotiated.
0
 

Author Comment

by:jdltek
ID: 18839401
Thank you, I will try that.  Does that compromise the security of the vpn connection or leave that pc open to attacks?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839415
Not at all.
0
 

Author Comment

by:jdltek
ID: 18849846
I am going to try it tonight.  Will I have to use any conduit commands?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18854536
You shouldn't have to use any conduit commands, but if it does not work, you might want to create a conduit to permit "ip" from the VPN server's public IP address to this public IP that you have natted to this PC.
0
 

Author Comment

by:jdltek
ID: 18854656
I just got it to work after putting in the conduit permit "ip" command.  Thanks!!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now