RE: ISAKMP Ports blocked when using VPN client?

From: Joseph McEvoy (JMcEvoy@xxxxxxxxx)
Date: Wed Aug 29 2001 - 21:23:40 GMT-3

   
Its already in there. Actually this command allows my PIX (the VPN
termination point) to pass IPSEC traffic. What I need is something similar
on the everybody else's PIX! :-)

Keep in mind, I am having problems when the user is behind a firewall. The
firewall *should* allow all return traffic, but I think the problem is that
some traffic is initiated by my PIX, and is therefore not considered return
traffic. After reviewing the last couple of posts, it looks like that
traffic can be defined as UDP 500 and the ESP protocol.

-----Original Message-----
From: Larry Roberts [mailto:lroberts22@qwest.net]
Sent: Wednesday, August 29, 2001 8:40 PM
To: Joseph McEvoy; ccielab@groupstudy.com
Subject: Re: ISAKMP Ports blocked when using VPN client?

Try this command

sysopt connection permit-ipsec

This allows return IPSec traffic w/o a conduit.

----- Original Message -----
From: "Joseph McEvoy" <JMcEvoy@isgny.com>
To: "'Larry Roberts'" <lroberts22@qwest.net>; "Joseph McEvoy"
<JMcEvoy@isgny.com>; <ccielab@groupstudy.com>
Sent: Wednesday, August 29, 2001 4:46 PM
Subject: RE: ISAKMP Ports blocked when using VPN client?

> No, they are customer sites. My original goal was to have VPN connectivity
> from anywhere. (Excluding of course those sites that are explictly
blocking
> that type of traffic).
>
> The PIX at the test remote site was under my control, and it allowed all
> outbound traffic. My thoughts was that some of the ISAKMP traffic was
being
> blocked because it was initiated from the PIX at HQ.
>
> -----Original Message-----
> From: Larry Roberts [mailto:lroberts22@qwest.net]
> Sent: Wednesday, August 29, 2001 8:04 PM
> To: Joseph McEvoy; ccielab@groupstudy.com
> Subject: Re: ISAKMP Ports blocked when using VPN client?
>
>
> Hi Joseph,
>
> Sounds to me like the other Firewall is blocking ISAKMP, AH, and/or ESP.
Is
> this other firewall under your administrative control?
>
> Sincerely,
> Larry Roberts
> CCIE #7886
>
> ----- Original Message -----
> From: "Joseph McEvoy" <JMcEvoy@isgny.com>
> To: <ccielab@groupstudy.com>
> Sent: Wednesday, August 29, 2001 2:46 PM
> Subject: ISAKMP Ports blocked when using VPN client?
>
>
> > Hello Group,
> >
> > I have installed a PIX running 6.01 and configured it for Cisco's latest
> VPN
> > client 3.02. Anyway, it works like a charm except when the user is at a
> > remote location with firewall. I don't believe this is a NAT/PAT issue,
as
> I
> > can connect from home using a Linksys router that is doing PAT. My only
> > guess is that our PIX (the VPN termination point) is initiating an
ISAKMP
> > key exchange back to the client after the client goes through exchanging
> its
> > key.
> >
> > Does anybody have a workaround, or at the very least can anybody confirm
> why
> > this is happening?
> > TIA -Joe McEvoy
> > **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:00 GMT-3