VPN Client behind PIX [7:64358]
OK gang here is the scenario. We have a PIX at work running VPN. I have a 515 at home. Before I put the 515 at home in I could use the VPN client to connect to work. Now I can not. I remember a year or so back reading a Cisco article about this and that you had to use a certain IP range on the remote (my house) network. Does anyone know anything about this? Any suggestions? Thanks! Steve Smith Enterprise Engineer 901-758-8179 ext. 108 TEKSELL [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64358&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Client behind PIX [7:64358]
You have to do a IPSEC tunnel from Pix to Pix or Purchase VPN Concentrator. I have the same issue. >From: "Steve Smith" >Reply-To: "Steve Smith" >To: [EMAIL PROTECTED] >Subject: VPN Client behind PIX [7:64358] >Date: Tue, 4 Mar 2003 16:15:21 GMT > >OK gang here is the scenario. We have a PIX at work running VPN. I have >a 515 at home. Before I put the 515 at home in I could use the VPN >client to connect to work. Now I can not. I remember a year or so back >reading a Cisco article about this and that you had to use a certain IP >range on the remote (my house) network. Does anyone know anything about >this? Any suggestions? > >Thanks! > >Steve Smith >Enterprise Engineer >901-758-8179 ext. 108 >TEKSELL >[EMAIL PROTECTED] _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64367&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Client behind PIX [7:64358]
You may be able to avoid throwing a VPN concentrator into the mix just yet. Need more information before this can be answered, but it could be that the source address of your home system is being NATed, which can interface with IPsec. It could be that your Pix is blocking. Before you tear into your Pix's configuration, take it out of the equation and ensure that you can establish the VPN as you did before you installed the Pix. If successful, then put your Pix back into the mix. Check a few things: 1. are you translating the VPN client's source IP address? 2. are you permitting IPsec traffic to pass untranslated? 3. are IPsec responses permitted to return to your VPN client? 4. Does the Pix at work only accept IPsec from specific addresses? Obviously, since the work Pix and your VPN client did not change, the problem lies with the configuration of the PIx you have at home. HTH, Charles ""Kevin O'Gilvie"" wrote in message news:[EMAIL PROTECTED] > You have to do a IPSEC tunnel from Pix to Pix or Purchase VPN Concentrator. > I have the same issue. > > > > > > > > >From: "Steve Smith" > >Reply-To: "Steve Smith" > >To: [EMAIL PROTECTED] > >Subject: VPN Client behind PIX [7:64358] > >Date: Tue, 4 Mar 2003 16:15:21 GMT > > > >OK gang here is the scenario. We have a PIX at work running VPN. I have > >a 515 at home. Before I put the 515 at home in I could use the VPN > >client to connect to work. Now I can not. I remember a year or so back > >reading a Cisco article about this and that you had to use a certain IP > >range on the remote (my house) network. Does anyone know anything about > >this? Any suggestions? > > > >Thanks! > > > >Steve Smith > >Enterprise Engineer > >901-758-8179 ext. 108 > >TEKSELL > >[EMAIL PROTECTED] > _ > Protect your PC - get McAfee.com VirusScan Online > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64376&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Client behind PIX [7:64358]
You just need to open the ports you are using, ie 500, 47 1 > > From: "Steve Smith" > Date: 2003/03/04 Tue AM 11:15:21 EST > To: [EMAIL PROTECTED] > Subject: VPN Client behind PIX [7:64358] > > OK gang here is the scenario. We have a PIX at work running VPN. I have > a 515 at home. Before I put the 515 at home in I could use the VPN > client to connect to work. Now I can not. I remember a year or so back > reading a Cisco article about this and that you had to use a certain IP > range on the remote (my house) network. Does anyone know anything about > this? Any suggestions? > > Thanks! > > Steve Smith > Enterprise Engineer > 901-758-8179 ext. 108 > TEKSELL > [EMAIL PROTECTED] Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64379&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Client behind PIX [7:64358]
Steve, You have to permit the IP protocols 50 and 51 trough the PIX for the IPSEC tunnel negotiation between your client and the PIX at work. Aurelian Georgescu -Original Message- From: Steve Smith [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2003 11:15 AM To: [EMAIL PROTECTED] Subject: VPN Client behind PIX [7:64358] OK gang here is the scenario. We have a PIX at work running VPN. I have a 515 at home. Before I put the 515 at home in I could use the VPN client to connect to work. Now I can not. I remember a year or so back reading a Cisco article about this and that you had to use a certain IP range on the remote (my house) network. Does anyone know anything about this? Any suggestions? Thanks! Steve Smith Enterprise Engineer 901-758-8179 ext. 108 TEKSELL [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64397&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Client behind PIX [7:64358]
I am assuming he is behind a cable modem or dsl. If so, even cisco says this is not possible. If someone has this working pleas advise.. >From: "Greg Owens" >Reply-To: "Greg Owens" >To: [EMAIL PROTECTED] >Subject: Re: VPN Client behind PIX [7:64358] >Date: Tue, 4 Mar 2003 19:09:16 GMT > >You just need to open the ports you are using, ie 500, 47 1 > > > > From: "Steve Smith" > > Date: 2003/03/04 Tue AM 11:15:21 EST > > To: [EMAIL PROTECTED] > > Subject: VPN Client behind PIX [7:64358] > > > > OK gang here is the scenario. We have a PIX at work running VPN. I have > > a 515 at home. Before I put the 515 at home in I could use the VPN > > client to connect to work. Now I can not. I remember a year or so back > > reading a Cisco article about this and that you had to use a certain IP > > range on the remote (my house) network. Does anyone know anything about > > this? Any suggestions? > > > > Thanks! > > > > Steve Smith > > Enterprise Engineer > > 901-758-8179 ext. 108 > > TEKSELL > > [EMAIL PROTECTED] >Greg Owens >202-398-2552 _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64426&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Client behind PIX [7:64358]
I'm pretty sure this can't be done because the pix doesn't do ipsec pass through. The good news is that the pix ios 6.3 is supposed to fix this. I don't have the url anymore, but there is a page on the cisco web that describes the new features in 6.3 and this capability is specifically listed. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin O'Gilvie Sent: Tuesday, March 04, 2003 9:23 PM To: [EMAIL PROTECTED] Subject: Re: VPN Client behind PIX [7:64358] I am assuming he is behind a cable modem or dsl. If so, even cisco says this is not possible. If someone has this working pleas advise.. >From: "Greg Owens" >Reply-To: "Greg Owens" >To: [EMAIL PROTECTED] >Subject: Re: VPN Client behind PIX [7:64358] >Date: Tue, 4 Mar 2003 19:09:16 GMT > >You just need to open the ports you are using, ie 500, 47 1 > > > > From: "Steve Smith" > > Date: 2003/03/04 Tue AM 11:15:21 EST > > To: [EMAIL PROTECTED] > > Subject: VPN Client behind PIX [7:64358] > > > > OK gang here is the scenario. We have a PIX at work running VPN. I have > > a 515 at home. Before I put the 515 at home in I could use the VPN > > client to connect to work. Now I can not. I remember a year or so back > > reading a Cisco article about this and that you had to use a certain IP > > range on the remote (my house) network. Does anyone know anything about > > this? Any suggestions? > > > > Thanks! > > > > Steve Smith > > Enterprise Engineer > > 901-758-8179 ext. 108 > > TEKSELL > > [EMAIL PROTECTED] >Greg Owens >202-398-2552 _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64456&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Client behind PIX [7:64358]
try do encapsulate IPSec in UDP, otherwise IPSec will be dropped. IKE is already UDP500, bit EPS and AH are Protocol 50 and 51. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64479&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Client behind PIX [7:64358]
I may be missing something, but are you asking whether you can establish a VPN tunnel using a VPN client behind a 515 PIX firewall. The answer is yes, I do it everyday. I have a 515 at home and I use the Nortel VPN client to connect to a Contivity box at work. My scenario is not exactly like yours, but here are the statements I added in the PIX to enable this. access-list VPN permit esp any any access-list VPN permit udp any any eq isakmp static (inside,outside)int 10.0.0.3 Make sure you are not using AH. You can't run AH behind a PIX due to NATing issues. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64494&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Client behind PIX [7:64358]
It's not possible, and here's why. The pix Vpn only supports IPSEC over UDP. Ipsec over UDP is NOT supported when sitting behind a stateful firewall (such as the pix). You need to use Ipsec over TCP if using the vpn client sitting behind a pix, or like stated before, you could create a "site to site" VPN, setting up to peer with the pix at your work. The reason a concentrator will work, is it's supports ipsec over tcp connections, in addition to standard ipsec, and ipsec over UDP.. HTH, Brett Michael Spunt CCNP,CIPT,MCSE Computer Network Innovations [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin O'Gilvie Sent: Tuesday, March 04, 2003 7:23 PM To: [EMAIL PROTECTED] Subject: Re: VPN Client behind PIX [7:64358] I am assuming he is behind a cable modem or dsl. If so, even cisco says this is not possible. If someone has this working pleas advise.. >From: "Greg Owens" >Reply-To: "Greg Owens" >To: [EMAIL PROTECTED] >Subject: Re: VPN Client behind PIX [7:64358] >Date: Tue, 4 Mar 2003 19:09:16 GMT > >You just need to open the ports you are using, ie 500, 47 1 > > > > From: "Steve Smith" > > Date: 2003/03/04 Tue AM 11:15:21 EST > > To: [EMAIL PROTECTED] > > Subject: VPN Client behind PIX [7:64358] > > > > OK gang here is the scenario. We have a PIX at work running VPN. I have > > a 515 at home. Before I put the 515 at home in I could use the VPN > > client to connect to work. Now I can not. I remember a year or so back > > reading a Cisco article about this and that you had to use a certain IP > > range on the remote (my house) network. Does anyone know anything about > > this? Any suggestions? > > > > Thanks! > > > > Steve Smith > > Enterprise Engineer > > 901-758-8179 ext. 108 > > TEKSELL > > [EMAIL PROTECTED] >Greg Owens >202-398-2552 _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64562&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Client behind PIX [7:64358]
i am not sure about that. i have a checkpoint FW (let's say it is stateful). behind the FW sits the VPN 3000. i connect with VPN SW Client. works fine with IPSec over UDP. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64579&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Client behind PIX [7:64358]
I couldnt have said it better myself!! >From: "brett spunt" >To: "'Kevin O'Gilvie'" , >Subject: RE: VPN Client behind PIX [7:64358] >Date: Wed, 5 Mar 2003 19:17:26 -0800 > >It's not possible, and here's why. The pix Vpn only supports IPSEC over >UDP. Ipsec over UDP is NOT supported when sitting behind a stateful >firewall (such as the pix). You need to use Ipsec over TCP if using the >vpn client sitting behind a pix, or like stated before, you could create >a "site to site" VPN, setting up to peer with the pix at your work. The >reason a concentrator will work, is it's supports ipsec over tcp >connections, in addition to standard ipsec, and ipsec over UDP.. > >HTH, > >Brett Michael Spunt >CCNP,CIPT,MCSE >Computer Network Innovations >[EMAIL PROTECTED] > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of >Kevin O'Gilvie >Sent: Tuesday, March 04, 2003 7:23 PM >To: [EMAIL PROTECTED] >Subject: Re: VPN Client behind PIX [7:64358] > >I am assuming he is behind a cable modem or dsl. >If so, even cisco says this is not possible. >If someone has this working pleas advise.. > > > >From: "Greg Owens" > >Reply-To: "Greg Owens" > >To: [EMAIL PROTECTED] > >Subject: Re: VPN Client behind PIX [7:64358] > >Date: Tue, 4 Mar 2003 19:09:16 GMT > > > >You just need to open the ports you are using, ie 500, 47 1 > > > > > > From: "Steve Smith" > > > Date: 2003/03/04 Tue AM 11:15:21 EST > > > To: [EMAIL PROTECTED] > > > Subject: VPN Client behind PIX [7:64358] > > > > > > OK gang here is the scenario. We have a PIX at work running VPN. I >have > > > a 515 at home. Before I put the 515 at home in I could use the VPN > > > client to connect to work. Now I can not. I remember a year or so >back > > > reading a Cisco article about this and that you had to use a certain >IP > > > range on the remote (my house) network. Does anyone know anything >about > > > this? Any suggestions? > > > > > > Thanks! > > > > > > Steve Smith > > > Enterprise Engineer > > > 901-758-8179 ext. 108 > > > TEKSELL > > > [EMAIL PROTECTED] > >Greg Owens > >202-398-2552 >_ >Protect your PC - get McAfee.com VirusScan Online >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64567&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: VPN Client behind PIX [7:64358]
I found this info under the 3.6 client Allowing the VPN Client to Work Through ESP-Aware NAT/Firewalls When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the NAT/Firewall device may be closed due to the VPN Client's keepalive implementation, called DPD (Dead Peer Detection). When a Client is idle, it does not send a keepalive until it sends data and gets no response. To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the following parameter and setting to the [Main] section of any *.pcf (profile configuration file) for the affected connection profile. ForceKeepAlives=1 This parameter enables IKE and ESP keepalives for the connection at approximately 20 second intervals. For more information, see "Connection Profile Configuration Parameters" in the VPN Client Administrator > > From: "Kevin O'Gilvie" > Date: 2003/03/05 Wed PM 11:16:52 EST > To: [EMAIL PROTECTED] > Subject: RE: VPN Client behind PIX [7:64358] > > I couldnt have said it better myself!! > > >From: "brett spunt" > >To: "'Kevin O'Gilvie'" , > >Subject: RE: VPN Client behind PIX [7:64358] > >Date: Wed, 5 Mar 2003 19:17:26 -0800 > > > >It's not possible, and here's why. The pix Vpn only supports IPSEC over > >UDP. Ipsec over UDP is NOT supported when sitting behind a stateful > >firewall (such as the pix). You need to use Ipsec over TCP if using the > >vpn client sitting behind a pix, or like stated before, you could create > >a "site to site" VPN, setting up to peer with the pix at your work. The > >reason a concentrator will work, is it's supports ipsec over tcp > >connections, in addition to standard ipsec, and ipsec over UDP.. > > > >HTH, > > > >Brett Michael Spunt > >CCNP,CIPT,MCSE > >Computer Network Innovations > >[EMAIL PROTECTED] > > > >-Original Message- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > >Kevin O'Gilvie > >Sent: Tuesday, March 04, 2003 7:23 PM > >To: [EMAIL PROTECTED] > >Subject: Re: VPN Client behind PIX [7:64358] > > > >I am assuming he is behind a cable modem or dsl. > >If so, even cisco says this is not possible. > >If someone has this working pleas advise.. > > > > > > >From: "Greg Owens" > > >Reply-To: "Greg Owens" > > >To: [EMAIL PROTECTED] > > >Subject: Re: VPN Client behind PIX [7:64358] > > >Date: Tue, 4 Mar 2003 19:09:16 GMT > > > > > >You just need to open the ports you are using, ie 500, 47 1 > > > > > > > > From: "Steve Smith" > > > > Date: 2003/03/04 Tue AM 11:15:21 EST > > > > To: [EMAIL PROTECTED] > > > > Subject: VPN Client behind PIX [7:64358] > > > > > > > > OK gang here is the scenario. We have a PIX at work running VPN. I > >have > > > > a 515 at home. Before I put the 515 at home in I could use the VPN > > > > client to connect to work. Now I can not. I remember a year or so > >back > > > > reading a Cisco article about this and that you had to use a certain > >IP > > > > range on the remote (my house) network. Does anyone know anything > >about > > > > this? Any suggestions? > > > > > > > > Thanks! > > > > > > > > Steve Smith > > > > Enterprise Engineer > > > > 901-758-8179 ext. 108 > > > > TEKSELL > > > > [EMAIL PROTECTED] > > >Greg Owens > > >202-398-2552 > >_ > >Protect your PC - get McAfee.com VirusScan Online > >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > _ > Tired of spam? Get advanced junk mail protection with MSN 8. > http://join.msn.com/?page=features/junkmail Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64603&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: VPN Client behind PIX [7:64358]
I found this info under 3.6 client Allowing the VPN Client to Work Through ESP-Aware NAT/Firewalls When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the NAT/Firewall device may be closed due to the VPN Client's keepalive implementation, called DPD (Dead Peer Detection). When a Client is idle, it does not send a keepalive until it sends data and gets no response. To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the following parameter and setting to the [Main] section of any *.pcf (profile configuration file) for the affected connection profile. ForceKeepAlives=1 This parameter enables IKE and ESP keepalives for the connection at approximately 20 second intervals. For more information, see "Connection Profile Configuration Parameters" in the VPN Client Administrator > > From: "Kevin O'Gilvie" > Date: 2003/03/05 Wed PM 11:16:52 EST > To: [EMAIL PROTECTED] > Subject: RE: VPN Client behind PIX [7:64358] > > I couldnt have said it better myself!! > > >From: "brett spunt" > >To: "'Kevin O'Gilvie'" , > >Subject: RE: VPN Client behind PIX [7:64358] > >Date: Wed, 5 Mar 2003 19:17:26 -0800 > > > >It's not possible, and here's why. The pix Vpn only supports IPSEC over > >UDP. Ipsec over UDP is NOT supported when sitting behind a stateful > >firewall (such as the pix). You need to use Ipsec over TCP if using the > >vpn client sitting behind a pix, or like stated before, you could create > >a "site to site" VPN, setting up to peer with the pix at your work. The > >reason a concentrator will work, is it's supports ipsec over tcp > >connections, in addition to standard ipsec, and ipsec over UDP.. > > > >HTH, > > > >Brett Michael Spunt > >CCNP,CIPT,MCSE > >Computer Network Innovations > >[EMAIL PROTECTED] > > > >-Original Message- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > >Kevin O'Gilvie > >Sent: Tuesday, March 04, 2003 7:23 PM > >To: [EMAIL PROTECTED] > >Subject: Re: VPN Client behind PIX [7:64358] > > > >I am assuming he is behind a cable modem or dsl. > >If so, even cisco says this is not possible. > >If someone has this working pleas advise.. > > > > > > >From: "Greg Owens" > > >Reply-To: "Greg Owens" > > >To: [EMAIL PROTECTED] > > >Subject: Re: VPN Client behind PIX [7:64358] > > >Date: Tue, 4 Mar 2003 19:09:16 GMT > > > > > >You just need to open the ports you are using, ie 500, 47 1 > > > > > > > > From: "Steve Smith" > > > > Date: 2003/03/04 Tue AM 11:15:21 EST > > > > To: [EMAIL PROTECTED] > > > > Subject: VPN Client behind PIX [7:64358] > > > > > > > > OK gang here is the scenario. We have a PIX at work running VPN. I > >have > > > > a 515 at home. Before I put the 515 at home in I could use the VPN > > > > client to connect to work. Now I can not. I remember a year or so > >back > > > > reading a Cisco article about this and that you had to use a certain > >IP > > > > range on the remote (my house) network. Does anyone know anything > >about > > > > this? Any suggestions? > > > > > > > > Thanks! > > > > > > > > Steve Smith > > > > Enterprise Engineer > > > > 901-758-8179 ext. 108 > > > > TEKSELL > > > > [EMAIL PROTECTED] > > >Greg Owens > > >202-398-2552 > >_ > >Protect your PC - get McAfee.com VirusScan Online > >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > _ > Tired of spam? Get advanced junk mail protection with MSN 8. > http://join.msn.com/?page=features/junkmail Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64602&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: VPN Client behind PIX [7:64358]
I found this info under the 3.6 client Allowing the VPN Client to Work Through ESP-Aware NAT/Firewalls When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the NAT/Firewall device may be closed due to the VPN Client's keepalive implementation, called DPD (Dead Peer Detection). When a Client is idle, it does not send a keepalive until it sends data and gets no response. To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the following parameter and setting to the [Main] section of any *.pcf (profile configuration file) for the affected connection profile. ForceKeepAlives=1 This parameter enables IKE and ESP keepalives for the connection at approximately 20 second intervals. For more information, see "Connection Profile Configuration Parameters" in the VPN Client Administrator > > From: "Kevin O'Gilvie" > Date: 2003/03/05 Wed PM 11:16:52 EST > To: [EMAIL PROTECTED] > Subject: RE: VPN Client behind PIX [7:64358] > > I couldnt have said it better myself!! > > >From: "brett spunt" > >To: "'Kevin O'Gilvie'" , > >Subject: RE: VPN Client behind PIX [7:64358] > >Date: Wed, 5 Mar 2003 19:17:26 -0800 > > > >It's not possible, and here's why. The pix Vpn only supports IPSEC over > >UDP. Ipsec over UDP is NOT supported when sitting behind a stateful > >firewall (such as the pix). You need to use Ipsec over TCP if using the > >vpn client sitting behind a pix, or like stated before, you could create > >a "site to site" VPN, setting up to peer with the pix at your work. The > >reason a concentrator will work, is it's supports ipsec over tcp > >connections, in addition to standard ipsec, and ipsec over UDP.. > > > >HTH, > > > >Brett Michael Spunt > >CCNP,CIPT,MCSE > >Computer Network Innovations > >[EMAIL PROTECTED] > > > >-Original Message- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > >Kevin O'Gilvie > >Sent: Tuesday, March 04, 2003 7:23 PM > >To: [EMAIL PROTECTED] > >Subject: Re: VPN Client behind PIX [7:64358] > > > >I am assuming he is behind a cable modem or dsl. > >If so, even cisco says this is not possible. > >If someone has this working pleas advise.. > > > > > > >From: "Greg Owens" > > >Reply-To: "Greg Owens" > > >To: [EMAIL PROTECTED] > > >Subject: Re: VPN Client behind PIX [7:64358] > > >Date: Tue, 4 Mar 2003 19:09:16 GMT > > > > > >You just need to open the ports you are using, ie 500, 47 1 > > > > > > > > From: "Steve Smith" > > > > Date: 2003/03/04 Tue AM 11:15:21 EST > > > > To: [EMAIL PROTECTED] > > > > Subject: VPN Client behind PIX [7:64358] > > > > > > > > OK gang here is the scenario. We have a PIX at work running VPN. I > >have > > > > a 515 at home. Before I put the 515 at home in I could use the VPN > > > > client to connect to work. Now I can not. I remember a year or so > >back > > > > reading a Cisco article about this and that you had to use a certain > >IP > > > > range on the remote (my house) network. Does anyone know anything > >about > > > > this? Any suggestions? > > > > > > > > Thanks! > > > > > > > > Steve Smith > > > > Enterprise Engineer > > > > 901-758-8179 ext. 108 > > > > TEKSELL > > > > [EMAIL PROTECTED] > > >Greg Owens > > >202-398-2552 > >_ > >Protect your PC - get McAfee.com VirusScan Online > >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > _ > Tired of spam? Get advanced junk mail protection with MSN 8. > http://join.msn.com/?page=features/junkmail Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64604&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
