From: Church, Chuck (cchurch@xxxxxxxx)
Date: Thu Aug 30 2001 - 14:03:21 GMT-3
Sysopt is only for connections terminating ON THAT Pix that sysopt
is configured on. Think of it as an inbound ACL where the destination is
the outside address of the Pix, mask 255.255.255.255. Usually you use
sysopt for VPNs terminating on the PIX. Conduits (or ACLs) are required to
go in one interface and out another, regardless of whether it's a host or
another VPN-capable device behind the Pix.
Chuck
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Don Rogers
Sent: Thursday, August 30, 2001 8:59 AM
To: brian apley
Cc: Joseph McEvoy; 'Larry Roberts'; ccielab@groupstudy.com
Subject: Re: ISAKMP Ports blocked when using VPN client?
We had a similar problem.
nortel vpn box ------------ (inside) PIX (outside)
--------------------nortel vpn box
Configured sysopt. It did not work. Called Cisco.
Cisco told us to add a conduit permitting esp to/from any.
Problem was solved.
Note:
Cisco did not tell us to add an access-list permitting esp.
Cisco did not tell us to add a static.
The problem was solved solely through the use of the sysopt and the conduit.
brian apley wrote:
> What kind otf Fw is the user behind? Some (like Netscreen and,yes, PIX)
> do have a problem in passing phase 1 and/or phase 2 through (similar to
> H.323- the true source address of the client is in the payload, firewall
> doesn't translate it right even on a static NAT, or the FW just freaks
> when it sees the IPSEC outbound traffic). Checkpoint and IOS FW work
> like a charm for this kind of pass-tbrough. Netscreen, PIX-bad bad.
> Linksys? I'm sure that works fine because IT'S NOT A TRUE FIREWALL.
>
> Brian Apley
> CCIE #7599, CCDP
> Joseph McEvoy <JMcEvoy@isgny.com> wrote: Its already in there.
> Actually this command allows my PIX (the VPN
> termination point) to pass IPSEC traffic. What I need is something
> similar
> on the everybody else's PIX! :-)
>
> Keep in mind, I am having problems when the user is behind a firewall.
> The
> firewall *should* allow all return traffic, but I think the problem is
> that
> some traffic is initiated by my PIX, and is therefore not considered
> return
> traffic. After reviewing the last couple of posts, it looks like that
> traffic can be defined as UDP 500 and the ESP protocol.
>
> -----Original Message-----
> From: Larry Roberts [mailto:lroberts22@qwest.net]
> Sent: Wednesday, August 29, 2001 8:40 PM
> To: Joseph McEvoy; ccielab@groupstudy.com
> Subject: Re: ISAKMP Ports blocked when using VPN client?
>
> Try this command
>
> sysopt connection permit-ipsec
>
> This allows return IPSec traffic w/o a conduit.
>
> ----- Original Message -----
> From: "Joseph McEvoy"
> To: "'Larry Roberts'" ; "Joseph McEvoy"
> ;
> Sent: Wednesday, August 29, 2001 4:46 PM
> Subject: RE: ISAKMP Ports blocked when using VPN client?
>
> > No, they are customer sites. My original goal was to have VPN
> connectivity
> > from anywhere. (Excluding of course those sites that are explictly
> blocking
> > that type of traffic).
> >
> > The PIX at the test remote site was under my control, and it allowed
> all
> > outbound traffic. My thoughts was that some of the ISAKMP traffic was
> being
> > blocked because it was initiated from the PIX at HQ.
> >
> > -----Original Message-----
> > From: Larry Roberts [mailto:lroberts22@qwest.net]
> > Sent: Wednesday, August 29, 2001 8:04 PM
> > To: Joseph McEvoy; ccielab@groupstudy.com
> > Subject: Re: ISAKMP Ports blocked when using VPN client?
> >
> >
> > Hi Joseph,
> >
> > Sounds to me like the other Firewall is blocking ISAKMP, AH, and/or
> ESP.
> Is
> > this other firewall under your administrative control?
> >
> > Sincerely,
> > Larry Roberts
> > CCIE #7886
> >
> > ----- Original Message -----
> > From: "Joseph McEvoy"
> > To:
> > Sent: Wednesday, August 29, 2001 2:46 PM
> > Subject: ISAKMP Ports blocked when using VPN client?
> >
> >
> > > Hello Group,
> > >
> > > I have installed a PIX running 6.01 and configured it for Cisco's
> latest
> > VPN
> > > client 3.02. Anyway, it works like a charm except when the user is
> at a
> > > remote location with firewall. I don't believe this is a NAT/PAT
> issue,
> as
> > I
> > > can connect from home using a Linksys router that is doing PAT. My
> only
> > > guess is that our PIX (the VPN termination point) is initiating an
> ISAKMP
> > > key exchange back to the client after the client goes through
> exchanging
> > its
> > > key.
> > >
> > > Does anybody have a workaround, or at the very least can anybody
> confirm
> > why
> > > this is happening?
> > > TIA -Joe McEvoy
> > > **Please read:http://www.groupstudy.com/list/posting.html
> > **Please read:http://www.groupstudy.com/list/posting.html
> **Please read:http://www.groupstudy.com/list/posting.html
> ---------------------------------
> Do You Yahoo!?
> Get email alerts & NEW webcam video instant messaging with Yahoo!
> Messenger.
> **Please read:http://www.groupstudy.com/list/posting.html
> ------------------------------------------------------------
>
> Part 1.2 Type: application/ms-tnef
> Encoding: base64
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:00 GMT-3