I have few questions but first i will explain what is the problem i am facing ?
remote host/PC ----| remote router
| main router
| main switch
| main pix firewall.
as per the above network explaination , i would want to browse the internet from remote location. remote location is connected to the main router over an mpls link and i have been able to configure the remote router and main router for PBR and at the moment the PBR is configured for one computer in the remote location and this computer can browse the internet, problem starts when i try to connect the "checkpoint VPN securemote NGX60 client" to one of our partners in other country, perviously the same machine used to establish this VPN when it was in the main site. this VPN is connecting on port UDP 500 and TCP 264 at least this is what i see when i do "netstat -n"
when trying to connect from the remote location i see in the syslog message on PIX that outbound connection build up but the inbound are teardown on port udp/tcp 500 also i see "discard IP fragment with more then 1 element " which i cannot understand what it means up till now.
it's been a painful week now that i have been working on this problem.. what i suspect is that my PIX is not allowing the inbound connection on this port with this forigen IP, okay one more thing to share is that this remote location is on a different subnet and therefore i have set a route on this PIX i.e. route inside 188.8.131.52 255.255.255 172.16.1.10.
also have the nat (inside) 1 184.108.40.206 255.255.255.0 beside others.
coming to the questions.
1. what am i missing in all this?
2. host can bowse but cannot establish a connection on specific ports, why?
3. using PBR i have also tried allowing these ports on the access-list but in vain.
4. any route which is not directly connected on the pix therefore showing "others" on "sh route" command, do i also need to configure the NAT just like i had for the subnet which is configured on the PIX interface.
5. i am damm sure that it's the PIX at this point onwards which is causing me pain...
If the User is able to browse the internet. Then the problem is with the port. Let me know one thing whether
1) Is NAT-T enabled if so have you open any of the ports depends on your configuration.
i) IPSec over UPD = Port UDP 4001 to 49151
ii) IPSec over UDP with NAT-T = Port UDP 4500
iii) IPSec over TCP = Port TCP 10000
2) If NAT-T is not enabled you have do ONE-to-ONE NAT for all the system in the PIX and allow bi-directional policy for the service (port IP-50 (ESP))