1. Home
  2. Cisco Systems
  3. vpn client behind PIX 501

vpn client behind PIX 501

Guys,

I am trying to set a vpn (client)for my wife to connect to her work.

The vpn client is "Secure VPN Client - Mobile User VPN". What do i need to do on my end if I have a pix 501 (version PIX Version 6.3(1). I am initiating the connection behind my pix.

As of now, I just have the defualt setup.

I am getting the following log errors:

everity (3) 305006: portmap translation creation failed for protocol 50 scr inside: 192.168.x.xx dst outside:66.12.xx.xxx

Severity (6) 305012: teardown dynamic UDP translation from indisde:192.168.x.xx/500 to outside:66.159.xx.xx/12 duration 0:01:32

btw, I really don't know what my wife work place is using besides the vpn client that was given to her to install. Once the vpn client is installed, she then use Citrix to connect through the VPN. I am assuming it is IPSEC compliant.

Thanks in advance.

Tony

Reply to
tractng
Loading thread data ...

What you need is

fixup protocol esp-ike

but you can use it only if you don't have any VPN tunnels from your PIX. And I'm not quite sure that this feature exists in 6.3(1).

Please check the release notes from

formatting link

Reply to
Jyri Korhonen

Jyri,

I will give it a try tonight when I get out of work.

Thanks, Tony

Reply to
tractng

Guys,

I have tried with Jyri suggested:

fixup protocol esp-ike

Now, I am getting message from the log.

106010: Deny inbound protocol 50 scr outside:66.12.xx.xxx dst inside:66.159.xxx.xx

Do I allow protocol 50 through my pix? How is the syntax?

btw, 66.12.xx.xxx (GW VPN that i am trying to connect) and

66.159.xxx.xx (my public ip assigned by ISP).

Thanks in advance. Tony

Reply to
tractng

access-list acl_outbound permit esp any any access-list acl_outbound permit udp any any eq isakmp access-list acl_outbound permit udp any any eq 4500

access-group acl_outbound in interface inside

Reply to
oTTo

access-list acl_outbound permit esp any any access-list acl_outbound permit udp any any eq isakmp access-list acl_outbound permit udp any any eq 4500

access-group acl_outbound in interface inside

Reply to
oTTo

Otto,

I am still getting the same error message:

106010: Deny inbound protocol 50 scr outside:66.12.xx.xxx dst inside:66.159.xxx.xx

Do I need to have an additional config statement for each of the following you provide above for something like this:

static (inside,outside) 66.159.xxx.xx esp 192.168.1.2 esp

255.255.255.255>

In addition, I would get many different error messages like below (i would lose connection to the internet):

106023: deny udp src inside: 192.168.1.2/1102 dst outside:217.12.4.104/53 by access-group "acl_outbound"

Thanks, Tony

Reply to
tractng

oTTo napisa³(a):

Forget about those access-list

All you need is "isakmp nat-traversal"

You have to enable it - that's all.

check

formatting link

regards jarcar

Reply to
jarcar

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.