| Author |
Message |
Guest
|
 Posted:
Fri Dec 16, 2005 1:31 am Post subject:
HELP!!! VPN to another network while behind Cisco 501 PIX |
|
|
I have a remote site currently using a DSL connection connected to a
PIX 501 with a direct VPN connection back to the corporate office. My
remote site needs to be able to connect (using XP VPN software) to
another company's network. I can connect to their network if I am at
home on my DSL connection but if I am behind my Cisco PIX 501 firewall
I get an error 619. Anyone have any ideas? Any help would be greatly
appreciated.
Current conf
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXXXXXX /e encryptXXXXXXXXXXXX
passwd XXXXXXXXXXXXXXXXXXXXXXXX /e encryptXXXXXXXXXXXX
hostname ABC-COMP
domain-name ABC-COMP
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.0 ABC-COMP
access-list ipsecpeer permit ip 10.X.X.X 255.255.255.0 ABC-COMP
255.255.0.0
access-list ipsecvpn permit ip 10.X.X.X 255.255.255.0 ABC-COMP
255.255.0.0
access-list 101 permit icmp any any
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any eq 500
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq 1701
access-list 101 permit tcp any any eq 1701
access-list 101 permit udp any any eq 10000
access-list 101 permit tcp any any eq https
access-list 101 permit tcp any any eq 4500
access-list 101 permit udp any any eq 4500
pager lines 24
logging on
logging history debugging
mtu outside 1500
mtu inside 1500
ip address outside 65.X.X.X 255.255.255.X
ip address inside 10.X.X.X 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list ipsecpeer
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 65.X.X.X 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 192.X.X.X source outside
http server enable
http 10.X.X.X 255.255.255.0 inside
snmp-server host inside 10.X.X.X
snmp-server XXXXXXXXXXXXXXXXXXXXXXXXX
snmp-server contact XXXXXXXXXXXX
snmp-server XXXXXXXXXXXXXXXXXXXXXXXX
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt ipsec pl-compatible
crypto ipsec transform-set XXXXXXXXXXXX XXXXX-XXXX XXXXX-XXXX
crypto map vpn_map 20 ipsec-isakmp
crypto map vpn_map 20 match address ipsecvpn
crypto map vpn_map 20 set peer 67.X.X.X
crypto map vpn_map 20 set transform-set XXXX
crypto map vpn_map interface outside
isakmp enable outside
isakmp key XXXXXXXXXX address 67.X.X.X netmask 255.X.X.X
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 10.X.X.X 255.X.X.X inside
telnet ABC-COMP 255.X.X.X inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname XXXXXXXXXXXXXXXXXXXXXXXXXX
vpdn group pppoex ppp authentication pap
vpdn username XXXXXXXXXXXXXXX password XXXXXXXXXXXXXXXXX
dhcpd dns 10.X.X.X 10.X.X.X
dhcpd wins 10.X.X.X
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ABC-COMP
dhcpd auto_config outside
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX |
|
| Back to top |
|
 |
Guest
|
| Posted:
Fri Dec 16, 2005 3:49 am Post subject:
Re: HELP!!! VPN to another network while behind Cisco 501 PI |
|
|
If you mean PPTP when you say MS VPN, then the problem is with the pix
not supporting PPTP passthrough. Sadly, everything but a PIX supports
it such as the Linksys or Dlink router you have at home - even IOS
supports it, but not the PIX.
However, there is hope - it's coming out in the next version.
The only workaround is to have a static one-to-one NAT with each inside
host that needs VPN access to a public IP address. Also you will need
a rule for PPTP (TCP 1723) going in both directions - Just having it
from the inside --> out won't take care of it.
-------------------------------------
Scott
http://tech.scottp.net |
|
| Back to top |
|
|
Peter Simons
Guest
|
| Posted:
Fri Dec 16, 2005 4:06 am Post subject:
Re: HELP!!! VPN to another network while behind Cisco 501 PI |
|
|
X-No-Archive: yes
scottpdotnet@gmail.com wrote:
| Quote: | If you mean PPTP when you say MS VPN, then the problem is with the pix
not supporting PPTP passthrough. Sadly, everything but a PIX supports
it such as the Linksys or Dlink router you have at home - even IOS
supports it, but not the PIX.
However, there is hope - it's coming out in the next version.
The only workaround is to have a static one-to-one NAT with each inside
host that needs VPN access to a public IP address. Also you will need
a rule for PPTP (TCP 1723) going in both directions - Just having it
from the inside --> out won't take care of it.
-------------------------------------
Scott
http://tech.scottp.net
??? |
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml
Peter |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in