ok,
I have searched high and low for this answer and cannot find anything
like this. I have a vendor that requires us to use thier VPN device to
connect to thier network. This device is configured to ping an
external server and if there is a response to connect to the secure
server located there over the internet. If there is no response then
it completes a dial backup. only certain clients have access to the
VPN device, routing is working because if I turn the pings off the
clients can access the web server successfully over the dial backup.
When I turn ping back on we get a page cannot be displayed error (i am
seeing the ping successes), meaning the IPSEC tunnel is not making it
through the firewall. IAW with vendor instructions I have enabled
ESP-IKE fixup protocol and created static rules for port 50 and 500
My questions follow,
1. what am I missing?
I found references to ISAKMP NAT traversal, but in order to enable
that I need to disable the ESP-IKE protocol. I only have one client on
the inside of the firewall that is creating and accessing the tunnel
(the users connect through this device) everything I have found on
ESP-IKE is that it should work.
2. Is there another port I need to enable?
3. The bottom line is I want to allow the IPSEC tunnel from the
internal device to pass through the firewall untouched.
I do not have access at all to the vendor device
rules
static (inside,outside) udp interface isakmp 192.168.1.251 isakmp
netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 500 192.168.1.251 500 netmask
255.255.255.255 0 0
static (inside,outside) tcp interface 50 192.168.1.251 50 netmask
255.255.255.255 0 0
map
PIX 515E 192.168.1.254
|
|
Switch
|
|
Vendor Device (cisco 1711) 192.168.1.251
Thanks in advance for all your help
John
