Solved

Connecting Cisco vpn client to remote network from behind a pix firewall

Posted on 2007-03-29
18
399 Views
Last Modified: 2010-04-09
Here is the situation:
My client has a network behind an old PIX firewall.  They ftp files to a remote site of one of their vendors.  They only had to use an emulation program (Mochasoft) with the correct ip address to connect.  The vendor has just implemented a new firewall and told my client they had to install the Cisco vpn client to connect to their site before they use the emulation program.  The Cisco vpn client connects to the site, but they cannot use the emulation program or ftp anything.  I noticed the vpn connection receives bytes, but has 0 sent bytes.  The vpn client works from other locations(such as home).  I know the problem must be because of the PIX the vpn client is behind.  Any help is appreciated.
0
Comment
Question by:jdltek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
18 Comments
 

Author Comment

by:jdltek
ID: 18815572
I'm sorry, the vpn client connection sends bytes, but has 0 received bytes.  
Packets "bypassed" shows a constant increase of more than one per second.  
Transparent tunneling: Inactive.  
Local Lan: Disabled.
0
 
LVL 1

Expert Comment

by:fwetzler
ID: 18816639
The Information you gave is not very much.
- is it "split tunnelling" or "full tunnelling"?
- which protocols/ ports are used (e.g. tcp 10000, or udp 4500)
- your PIX (i dont know it): is it able to bypass IKE-Protokol

first suggested action: set the log of the cisco client of all categorys to "high", try a connect and see the Log of the Cisco Client.
its hard to read, but the only way to get information, if you dont have setup the firewall and no possibilities to see the fw-configuration
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18828419
Both your PIX and the remote PIX have to have nat-traversal enabled.

  isakmp nat-traversal 20

0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 

Author Comment

by:jdltek
ID: 18829573
The PIX is running version 4.3.  I don't see any isakmp commands in the manual.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18830164
Ooooo....ouch. 4.3 does not support nat-traversal...
Your only option is a 1-1 static nat for this client user
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18830171
The other end still has to support nat-t
Is the other end (vpn server end) a PIX FW, or VPN3000 concentrator? Either one needs to be explicitly configured to allow nat-t over UDP.
0
 

Author Comment

by:jdltek
ID: 18830900
I'm pretty sure it is a PIX FW.
0
 

Author Comment

by:jdltek
ID: 18839173
O.K.  The Cisco vpn client is installed on XP behind a PIX firewall (running version 4.3) and is connecting to a VPN3000 on the remote end.  The vpn client does make the connection, but that's about all it does.  They can't ftp, ping or anything else.  The vpn client shows bytes being sent, but not received.  Supposedly Nat transversal is setup on the vpn3000.  Any ideas?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839217
Have you tried a 1-1 static NAT for this PC on your PIX?
0
 

Author Comment

by:jdltek
ID: 18839259
No, can you give me an example of what you are suggesting?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839301
Assuming that you have a spare public IP that you are not using:
  static (inside,outside) <public ip> <PC's IP address> netmask 255.255.255.255 0 0
0
 

Author Comment

by:jdltek
ID: 18839328
I'm not sure how that would help.  Since the client is initiating the remote connection using the vpn3000 ip, how will that work.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839377
Your PIX 4.3 cannot support NAT-T, nor can it do fixup esp.
The client does initiate the connection, and currently uses a dynamic public IP, probably through the overload address. With a 1-1 static nat, the firewall does not have to support the ipsec fixup and the client appears to the vpn3000 as a static public IP address and NAT-T does not have to be negotiated.
0
 

Author Comment

by:jdltek
ID: 18839401
Thank you, I will try that.  Does that compromise the security of the vpn connection or leave that pc open to attacks?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18839415
Not at all.
0
 

Author Comment

by:jdltek
ID: 18849846
I am going to try it tonight.  Will I have to use any conduit commands?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18854536
You shouldn't have to use any conduit commands, but if it does not work, you might want to create a conduit to permit "ip" from the VPN server's public IP address to this public IP that you have natted to this PC.
0
 

Author Comment

by:jdltek
ID: 18854656
I just got it to work after putting in the conduit permit "ip" command.  Thanks!!
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question