Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Cisco PIX 515E

Cisco PIX 515E 10 years 1 day ago #17111

  • lomaree
  • lomaree's Avatar
  • Offline
  • Frequent Member
  • Posts: 21
  • Karma: 0
Hi All,

I have few questions but first i will explain what is the problem i am facing ?

remote host/PC ----| remote router
| main router
| main switch
| main pix firewall.

as per the above network explaination , i would want to browse the internet from remote location. remote location is connected to the main router over an mpls link and i have been able to configure the remote router and main router for PBR and at the moment the PBR is configured for one computer in the remote location and this computer can browse the internet, problem starts when i try to connect the "checkpoint VPN securemote NGX60 client" to one of our partners in other country, perviously the same machine used to establish this VPN when it was in the main site. this VPN is connecting on port UDP 500 and TCP 264 at least this is what i see when i do "netstat -n"

when trying to connect from the remote location i see in the syslog message on PIX that outbound connection build up but the inbound are teardown on port udp/tcp 500 also i see "discard IP fragment with more then 1 element " which i cannot understand what it means up till now.

it's been a painful week now that i have been working on this problem.. what i suspect is that my PIX is not allowing the inbound connection on this port with this forigen IP, okay one more thing to share is that this remote location is on a different subnet and therefore i have set a route on this PIX i.e. route inside 20.20.1.2 255.255.255 172.16.1.10.

also have the nat (inside) 1 20.20.1.2 255.255.255.0 beside others.

coming to the questions.

1. what am i missing in all this?
2. host can bowse but cannot establish a connection on specific ports, why?
3. using PBR i have also tried allowing these ports on the access-list but in vain.
4. any route which is not directly connected on the pix therefore showing "others" on "sh route" command, do i also need to configure the NAT just like i had for the subnet which is configured on the PIX interface.
5. i am damm sure that it's the PIX at this point onwards which is causing me pain...

any help would be great.
The administrator has disabled public write access.

Re: Cisco PIX 515E 9 years 11 months ago #17191

  • ramasamy
  • ramasamy's Avatar
  • Offline
  • Frequent Member
  • Posts: 67
  • Karma: 0
Hi,

If the User is able to browse the internet. Then the problem is with the port. Let me know one thing whether

1) Is NAT-T enabled if so have you open any of the ports depends on your configuration.
i) IPSec over UPD = Port UDP 4001 to 49151
ii) IPSec over UDP with NAT-T = Port UDP 4500
iii) IPSec over TCP = Port TCP 10000

2) If NAT-T is not enabled you have do ONE-to-ONE NAT for all the system in the PIX and allow bi-directional policy for the service (port IP-50 (ESP))

Do this it will work.
The administrator has disabled public write access.
Time to create page: 0.075 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup