Using Cisco VPN Client behind PIX 506e - connects to remote site but no traffic will pass

We have a client that uses Cisco VPN client to regularly establish an IPSEC VPN connection to a remote location.  It worked fine until we recently replaced our firewall with a PIX 506e.  The client establishes a connection but no traffic will pass through the VPN - they can't ping anything on the remote network.  From the research I've done, this seems to be a common problem and does not work by default when you're behind a PIX.  But I haven't found a clear answer how to fix and the things I've tried haven't worked.  I currently have no control of the remote PIX and I don't know the version of the Cisco Client they're using yet.  This user only comes once a week and brings their own laptop.  I'm just supposed to get this working as soon as possible.  Here is my current PIX config:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list INBOUND permit tcp any interface outside eq pptp
access-list INBOUND permit tcp any interface outside eq 3389
pager lines 24
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.240
ip address inside 192.168.248.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pptp 192.168.248.240 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.248.240 3389 netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.248.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:****


Some have made the suggestion to add:

fixup protocol esp-ike
isakmp nat-traversal 30

I tried that but it didn't make any difference.  Someone else said to allow UDP 4500, but I would like some definate answers before I go changing anything else.  Could someone please tell me the lines I need to add or what I need to do to make this work?

Thanks in advance.
   
LVL 1
ITLighthouseAsked:
Who is Participating?
 
batry_boyConnect With a Mentor Commented:
Protocol 50 is ESP and is separate from IP and TCP altogether.  Rather than this:

access-list INBOUND permit tcp any interface outside eq 50

try this:

access-list INBOUND permit esp any interface outside

I'm still not sure that this will fix your ultimate issue, but that is how to allow ESP traffic to the IP address of the outside interface.
0
 
batry_boyCommented:
I don't see anything in the posted PIX config that would prevent the VPN tunnel from passing traffic like you describe.  I think you need to focus on the remote PIX that the client is connecting to.  Can you post that configuration so we can take a look?
0
 
ITLighthouseAuthor Commented:
As I mentioned, I don't have control of the remote PIX.  I'll see what I can get.

Thanks.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
ITLighthouseAuthor Commented:
I turned on logging and get "deny protocol 50 errors" in the log after the connection is established.  So I added the following lines -

access-list INBOUND permit tcp any interface outside eq 50
access-group INBOUND in interface outside
clear xlate

The error in the log doesn't go away and when I "show access-list" the hitcount for that line is 0, so I'm thinking maybe the access-list I added is incorrect or it is not taking effect.

Any suggestions?
0
 
ITLighthouseAuthor Commented:
Problem fixed!!
The line should be -
"access-list INBOUND permit esp any interface outside" not
"access-list INBOUND permit tcp any interface outside eq 50"

Here is my current WORKING config -

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password * encrypted
passwd * encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol esp-ike
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list INBOUND permit tcp any interface outside eq pptp
access-list INBOUND permit tcp any interface outside eq 3389
access-list INBOUND permit icmp any any echo-reply
access-list INBOUND permit esp any interface outside
pager lines 24
icmp deny any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.240
ip address inside 192.168.248.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface pptp 192.168.248.240 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.248.240 3389 netmask 255.255.255.255 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp nat-traversal 20
telnet 192.168.248.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:
0
 
ITLighthouseAuthor Commented:
That was it.  I found it shortly before you posted but I'll give you the points anyway for having a correct answer.
0
All Courses

From novice to tech pro — start learning today.