Computer hardware and software
I have a Cisco Pix 515e and need to allow a vendor VPN access to his office network. What commands are needed?
Question : I have a Cisco Pix 515e and need to allow a vendor VPN access to his office network. What commands are needed?
It appears that the PIX is intercepting VPN connections from inside our network. I need to enable a passthru for VPN’s originating within or company network.
cisco pix
Best answer:
Answer by Gene M
You need to allow protocols ESP and GRE inbound, I think there are more but I cannot access my PIX now.
To begin with, allowing encrypted connections to pass through your security devices uninspected is a really bad idea.
However, you need to make sure you are allowing IPSEC to pass from the inside network to the outside world, if you applied access lists to the inside interface. The following allows anyone to connect to anyone from the inside – out, to pass through using either udp or tcp through the firewall (assuming the default port numbers):
access-list 100 permit udp any any eq 500
access-list 100 permit tcp any any eq 10000
Make sure the access list is applied to the interface using the access-group command, and that your access-list is complete. Thereis an implicit deny at the end of an access-list do the above would allow ipsec to pass and drop everything else :-)
Also make sure you have a valid nat translation in place from the inside to the outside for the connection to pass. I have had PIX firewalls cause intermittant connectivity problems with VPN passthrough using PAT, and the quick fix was to give the end user a static nat translation. There is probably a more elegant fix available from Cisco TAC, but I wasn’t interested enough in making it work, to delve much deeper into it :-)