[TriLUG] Re: PIX 501 questions

STaylor at srspos.com STaylor at srspos.com
Fri Jan 31 08:21:59 EST 2003


Very tricky...

Even though your packets are appearing to be leaving from your pix box 
with the outside IP It (the packet) still has to have some info about the 
true originator in it! That is my best guess anyways, assuming that the 
VPN client has a 192 address being masked by the 501.

Since you are using a cisco vpn client I would go ahead and establish the 
VPN Tunnel directly with that. It should tunnel up nicely with the host 
Cisco you are connecting too.

What you may want to do is take this question to the person who 
administrates the VPN server and ask him what he allows and doesn't allow.

I am pretty sure that by default it drops any IP masquerading.

Good Luck,

Shawn

Shawn Taylor
Systech Retail Systems
2600 Sumner Boulevard
Raleigh, NC 27616
1-800-232-0820 ext 127
staylor at srspos.com
 




Glen Ford <gford at idiom.com>
Sent by: trilug-admin at trilug.org
01/30/2003 11:19 PM
Please respond to trilug

 
        To:     TriLUG <trilug at trilug.org>
        cc: 
        Subject:        [TriLUG] PIX 501 questions


Not a directly Linux related question, but I hope the good folks on this 
list might be able to help.
In an effort to learn a little about Cisco Pix products I has swapped 
out my Linksys DSL route with a PIX 501.  I use the Linksys and now the 
pix as firewall between my home boxes and my RoadRunner cable modem. 
Pretty standard stuff.


I am having two problems with my PIX 501.


1.  The outside interface of my PIX gets assigned by the ISP via dhcp. 
This works for the most part, except periodically loose connectivity to 
my RoadRunner router.  I know this because my wife complains that she 
can not use the browser. I check the connection by pinging the router 
from the command line inside the PIX. The pings fail and I have to issue 
the following command to regain my connectivity."ip address outside dhcp 
setroute retry 5"  . This is proving to be irritating. Why does the 
outside PI loose connectivity to the route?


2. With the Linksys I am able to use  Cisco VPN client for Linux without 
any problems.  I.E. from server behind Linksys I am able to establish a 
vpn connection to my corporate network.  This is a ipsec tunnel over UDP 
port 500 (esp).  The Linksys passes this traffic without any problems. 
linux (vpn client) ---> linksys ----> vpn end-point
However when I use the PIX it does not work.  I know I am passing the 
udp port 500 traffic because I see it leaving the outside interface of 
the PIX.  I use debug command to see it.  I do not see any reply traffic 
coming pack from the vpn request.  The packets leaving the PIX are 
addressed with source of the outside interface and destination of my 
corporate vpn end point.  This all seem correct except I do not see any 
traffic coming back from the corporate end-point.  After some time the 
vpn client croaks and says that it timed out trying to make the 
connection.

Any help with either/both of these two questions would be much 
appreciated.

Thanks,
/Glen








_______________________________________________
TriLUG mailing list
    http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ:
    http://www.trilug.org/~lovelace/faq/TriLUG-faq.html


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030131/1965d2e1/attachment.html>


More information about the TriLUG mailing list