News: This forum is now permanently frozen.
Pages: [1]
Topic: M0n0 and PIX (P2P VPN setup) Rules questions...  (Read 2764 times)
« on: April 05, 2007, 07:27:43 »
benkhart *
Posts: 6

Ok so I've got a 4501 running M0n0 1.23 and I'm trying to setup a PIX 501 to establish a site to site VPN tunnel to our 3000 Concentrator at work.  Note: I do realize that I will be unable to utillize the VPN unless cabled directly to its eth1 port.

Ok so everyhting up til now works perfectly, pinging public concentrator IP from LAN side.  PIX already has basic setup and 1 rule forwarding everything from eth1 to eth0. 

The EzVPn setup on the PIX has been tested and successfull establishes a session from inside the work LAN (verifying ezvpn group/IP info), however form home it will not setup the tunnel.

And while in a telnet session with the PIX I am unable to ping the public concentrator IP.. Has anyone else out there attempted something like this?  Right now the eth0 on the PIX is cabled to a regular switch port which is feed my the m0n0.  Which since on the LAN side all traffic is forwarded to the WAN side I cant understand why I can ping that public IP from my desktop but not the PIX.
« Reply #1 on: April 05, 2007, 22:37:09 »
cmb *****
Posts: 851

where do you have the PIX outside interface plugged in? On your LAN with a private IP, or an OPT interface, or?
« Reply #2 on: April 05, 2007, 23:06:09 »
benkhart *
Posts: 6

the outside int was already setup to use DHCP, so what should have been happening (to my understanding, it pulls a private side IP from your local network, then initiates the tunnel to the public concentrator and I think the inside int is supposed to be IP'd matching the destination network....right?
« Reply #3 on: April 06, 2007, 01:35:09 »
cmb *****
Posts: 851

If you plugged the outside interface into your LAN and you have DHCP enabled on your LAN, yes, it should pull an IP from DHCP and should be able to access the Internet.

Does the concentrator actually respond to pings from the Internet? I would try to ping it from something else, and try to ping something else from the PIX. Not responding to ping doesn't necessarily mean the VPN won't work.

Without knowing how the concentrator and PIX are setup it's hard to say, but keep in mind NAT could be a problem. You may need a public IP on the PIX, or to change the configuration of one or both sides so it works with NAT between.
« Reply #4 on: April 07, 2007, 11:42:31 »
bitonw **
Posts: 79

is this what you have?

lan - m0n0wall - dmz? - pix -> internet <- vpn 3000

bear in mind that a pix doesn't allow any traffic from outside ot inside by default...
« Reply #5 on: April 09, 2007, 05:07:01 »
darklogic *
Posts: 45

Ok I am trying to peace together what your setup is. I have worked with PIX501 and 506E many of times. If I am understanding correctly, you are trying to establish a VPN tunnel using your PIX501 not monowall. I am thinking your monowall firewall is the front line firewall to the Internet right. If this is the case you will need to setup NAT-T on your PIX501. This will allow for authentication to pass through a NATTED device one being you monowall. You will also half to allow outbound on port 500 on your monowall. You will also half to portforward esp port to your PIX. Note that you will know when the VPN is up when the Tunnel light turns green on the PIX. And yes the 3000 concentrator will accept ping if you allow it. Depending on what level of PIX501 you purchased with the version of IOS you will be most likely limited to 3DES encryption. Just note that everything must match on both ends onf the tunnel.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines