From: Don Rogers (drogers@xxxxxxxxxxx)
Date: Thu Aug 30 2001 - 09:58:52 GMT-3
We had a similar problem.
nortel vpn box ------------ (inside) PIX (outside)
--------------------nortel vpn box
Configured sysopt. It did not work. Called Cisco.
Cisco told us to add a conduit permitting esp to/from any.
Problem was solved.
Note:
Cisco did not tell us to add an access-list permitting esp.
Cisco did not tell us to add a static.
The problem was solved solely through the use of the sysopt and the conduit.
brian apley wrote:
> What kind otf Fw is the user behind? Some (like Netscreen and,yes, PIX)
> do have a problem in passing phase 1 and/or phase 2 through (similar to
> H.323- the true source address of the client is in the payload, firewall
> doesn't translate it right even on a static NAT, or the FW just freaks
> when it sees the IPSEC outbound traffic). Checkpoint and IOS FW work
> like a charm for this kind of pass-tbrough. Netscreen, PIX-bad bad.
> Linksys? I'm sure that works fine because IT'S NOT A TRUE FIREWALL.
>
> Brian Apley
> CCIE #7599, CCDP
> Joseph McEvoy <JMcEvoy@isgny.com> wrote: Its already in there.
> Actually this command allows my PIX (the VPN
> termination point) to pass IPSEC traffic. What I need is something
> similar
> on the everybody else's PIX! :-)
>
> Keep in mind, I am having problems when the user is behind a firewall.
> The
> firewall *should* allow all return traffic, but I think the problem is
> that
> some traffic is initiated by my PIX, and is therefore not considered
> return
> traffic. After reviewing the last couple of posts, it looks like that
> traffic can be defined as UDP 500 and the ESP protocol.
>
> -----Original Message-----
> From: Larry Roberts [mailto:lroberts22@qwest.net]
> Sent: Wednesday, August 29, 2001 8:40 PM
> To: Joseph McEvoy; ccielab@groupstudy.com
> Subject: Re: ISAKMP Ports blocked when using VPN client?
>
> Try this command
>
> sysopt connection permit-ipsec
>
> This allows return IPSec traffic w/o a conduit.
>
> ----- Original Message -----
> From: "Joseph McEvoy"
> To: "'Larry Roberts'" ; "Joseph McEvoy"
> ;
> Sent: Wednesday, August 29, 2001 4:46 PM
> Subject: RE: ISAKMP Ports blocked when using VPN client?
>
> > No, they are customer sites. My original goal was to have VPN
> connectivity
> > from anywhere. (Excluding of course those sites that are explictly
> blocking
> > that type of traffic).
> >
> > The PIX at the test remote site was under my control, and it allowed
> all
> > outbound traffic. My thoughts was that some of the ISAKMP traffic was
> being
> > blocked because it was initiated from the PIX at HQ.
> >
> > -----Original Message-----
> > From: Larry Roberts [mailto:lroberts22@qwest.net]
> > Sent: Wednesday, August 29, 2001 8:04 PM
> > To: Joseph McEvoy; ccielab@groupstudy.com
> > Subject: Re: ISAKMP Ports blocked when using VPN client?
> >
> >
> > Hi Joseph,
> >
> > Sounds to me like the other Firewall is blocking ISAKMP, AH, and/or
> ESP.
> Is
> > this other firewall under your administrative control?
> >
> > Sincerely,
> > Larry Roberts
> > CCIE #7886
> >
> > ----- Original Message -----
> > From: "Joseph McEvoy"
> > To:
> > Sent: Wednesday, August 29, 2001 2:46 PM
> > Subject: ISAKMP Ports blocked when using VPN client?
> >
> >
> > > Hello Group,
> > >
> > > I have installed a PIX running 6.01 and configured it for Cisco's
> latest
> > VPN
> > > client 3.02. Anyway, it works like a charm except when the user is
> at a
> > > remote location with firewall. I don't believe this is a NAT/PAT
> issue,
> as
> > I
> > > can connect from home using a Linksys router that is doing PAT. My
> only
> > > guess is that our PIX (the VPN termination point) is initiating an
> ISAKMP
> > > key exchange back to the client after the client goes through
> exchanging
> > its
> > > key.
> > >
> > > Does anybody have a workaround, or at the very least can anybody
> confirm
> > why
> > > this is happening?
> > > TIA -Joe McEvoy
> > > **Please read:http://www.groupstudy.com/list/posting.html
> > **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
> ---------------------------------
> Do You Yahoo!?
> Get email alerts & NEW webcam video instant messaging with Yahoo!
> Messenger.
> **Please read:http://www.groupstudy.com/list/posting.html
> ------------------------------------------------------------
>
> Part 1.2 Type: application/ms-tnef
> Encoding: base64
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:00 GMT-3