Firewall Wizards mailing list archives
RE: Cisco VPN client behind a Netscreen
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Thu, 6 Nov 2003 08:45:28 -0500
Aram, You do not need to create an IPSec policy on the NetScreen for VPN clients that are passing through it. (The same would be true if you had a VPN concentrator behind it and users were connecting inbound from the Internet.) This problem most likely has to do with source port translation being performed by the NetScreen as part of its NAT rules for outbound traffic. The PIX will likely complain if the source port of the VPN client connection isn't 500 or 4500 as appropriate and prevent the tunnel from coming all the way up. The best fix for this is to upgrade the PIX OS version to a current release and enable the 'isakmp nat-traversal' feature. However, since you don't have control over the PIX, another solution would be to configure a static NAT (NetScreen calls this MIP, or Mapped IP?) for just the VPN client workstation's IP address to an otherwise unused IP address on the firewall's outside subnet. This should prevent the source port from being modified when making the connection. Good luck! PaulM -----Original Message----- I have recently implemented a Netscreen 50 and I have users behind it that use a Cisco VPN client to connect to a Cisco Pix which I have no control over. Their VPN client is not functioning properly. Currently I have a policy allowing outbound traffic any from all inside. Does anyone know if I also need to create an IPSEC policy for inbound traffic? Thanks, Aram Smith _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco VPN client behind a Netscreen Aram Smith (Nov 05)
- Re: Cisco VPN client behind a Netscreen Ravi Kumar (Nov 06)
- Re: Cisco VPN client behind a Netscreen Luigi Mori (Nov 06)
- RE: Cisco VPN client behind a Netscreen List Account (Nov 06)
- <Possible follow-ups>
- RE: Cisco VPN client behind a Netscreen Melson, Paul (Nov 06)
- RE: Cisco VPN client behind a Netscreen Andy Lyakhovetskiy (Nov 11)