|
Posted by Marc on February 18, 2007, 3:53 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Dear Walter and all readers,
Many Thanks for your reply.
The ADSL modem is a SMC 7808 router. It is capabel of bridging, but not in
combination with ADSL / over PPP protocol. I configured the router with the
tcp/udp ports you specified.
B.T.W. the VPN connection is created and secured, but transfering data is
the problem. I tested this also with a PPTP connection (with the rights
ports ofcourse) Still same problem. When I put mine laptop in the DMZ
network (where the outside port of the pix is located) no problem there. I
can exchange data with the internal network over ipsec.
The NAT table of the router is as below.:
UDP 10.0.99.50 500 83.247.122.195 500
83.247.53.136 10
Outside pix loc. prt Public IP router Pseudo ipprt.
peer port peerport
I configures the sysopt connection permit-ipsec at this time, so I don't
have to worried about access rules. I configured the isakmp nat-traversal on
a long time out.
Kind Regards,
Marc
>
>>I have a problem with a pix 501 and VPN.
>
>>The connection to the internal network is als follows:
>
>>internet-->DMZ -->External int. pix..> internal network. (see visio
>>diagram)
>
> Please don't post binary files in text newsgroups.
>
> And as best I recall, I don't have access to a visio viewer.
>
>>My problem is as folows: When I connected a pc to the DMZ and try a cisco
>>vpn everything is working perfectly. (In mine opinion there is nothing
>>wrong
>>with the pix configuration.
>
>>When I try to connect to the pix from the internet the entire proces seems
>>okay. I'll get a perfect connection. But When I try to ping, or do a rdc.
>>to
>>a server nothing is happened. In mine opinion there is something wrong
>>with
>>the portmapping on the router.
>
>>I mapped:
>
>>500 udp/tcp
>>50/51 tcp
>>10000 udp/tcp
>>4500 / udp/tcp
>
> You don't need 500 TCP, just 500 UDP.
>
> You don't need 10000 TCP or UDP: that was for an old VPN passthrough
> that is not supported on the PIX 501.
>
> You don't need 4500 TCP, just 4500 UDP, and that only if you have
> isakmp nat-traversal configured on the 501.
>
> You don't need 50 or 51 TCP. No VPN that I know of uses TCP 50 or TCP 51.
> The ESP protocol used by IPSec is IP Protocol 50, and the AH protocol
> used by IPSec is IP Protocol 51, but those numbers are IP Protocol
> numbers, exactly the same way that TCP is IP Protocol 6 and UDP
> is IP Protocol 17. And most consumer devices and ADSL modems do
> not allow configuring forwarding by IP Protocol, only by TCP or UDP port.
> However, if your endpoint for the VPN tunnel is the PIX, and you
> have isakmp nat-traversal configured, then as long as UDP 500 and
> UDP 4500 can get through the ADSL model to the PIX, the PIX should
> be able to work around the lack of direct ESP or AH packets (it will
> encapsulate the packets in UDP 4500.)
>
>
> It isn't clear to me at which device you did the mapping. The mappings
> noted would have to be done at the ADSL model level if anywhere:
> you don't need them on the PIX if your security gateway is the
> PIX and you are using the Cisco client to connect to the PIX in
> order to access the server resources. But you -do- need to either
> permit the RDP etc. ports through the PIX outside interface, or else
> configure sysopt connection permit-ipsec to permit the VPN connections
> to go anywhere inside without ACL controls.
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map