This question is somewhat related but, on a different
scale. I was reading "CCSP Self-Study: Cisco Secure PIX
Firewall Advanced (CSPFA) 2nd ed." and found this
under "FWSM and PIX Firewall Feature Comparison" (P792):
"Virtual private network (VPN) functionality (IPSec, Point-
to-Point Tunneling Protocol [PPTP] and Layer 2 Tunneling
Protocol [L2TP]) packets flowing across the firewall is not
supported."
I questioned a Cisco SE about it prior to our implementation
of the FWSM and he claimed that it was only for management
of another PIX through the FWSM. This morning after last
Friday's implementation someone complained about not being
able to do PPTP in through the FWSM.
Anyone have any experience trying to get RAS VPN tunnels
through a Cisco FWSM?
Thanks,
---- Original message ----
>Date: Mon, 02 Feb 2004 17:50:21 +0100
>From: Javier Sanchez Llera <jsanchez_at_myalert.com>
>Subject: Re: [fw-wiz] Pix - portmap translation creation
failed
>To: "Crissup, John (MBNP is)"
<John.Crissup_at_us.millwardbrown.com>
>Cc: "'firewall-wizards_at_honor.icsalabs.com'" <firewall-
wizards_at_honor.icsalabs.com>
>
>
>
>Hi,
>
>you should use the option "sysopt connection permit-ipsec"
on your
>config to let ipsec traffic pass through the pix. You
should take car of
>the nat-travsersal options that your vpn-client should have.
>
>
>Cheers
>
>Javier Sanchez Llera
>jsanchez_at_myalert.com
>Systems Administrator
>MyAlert.com
>
>
>
>El lun, 02-02-2004 a las 16:38, Crissup, John (MBNP is)
escribió:
>> OK, folks, need your help. We have a user trying to VPN
out of our network
>> using a Netscreen or SafeNet (??) client (Sorry, got that
second hand and am
>> not up on Netscreen products). I'm seeing a syslog entry
being generated by
>> the PIX for message %PIX-3-305006. The exact error
follows (appropriately
>> scrubbed)...
>>
>> %PIX-3-305006: portmap translation creation failed for
protocol 50 src
>> inside:172.20.1.1 dst outside:A.B.C.D
>>
>> My PIX 520 (Ver 6.3.1) is configured to use PAT for all
Internet bound
>> traffic. A search of Cisco's site turns up nothing about
this particular
>> error except a bug report that the documentation needs to
be updated to show
>> this error. Can anyone offer some direction on how to
resolve this?
>>
>> As always, thanks in advance for any assistance you can
offer.
>>
>> --
>>
>> John M. Crissup
>> Network Systems Engineer
>> Global Network Services
>>
>> Millward Brown
>> 535 E. Diehl Rd.
>> Naperville, IL 60563
>>
>> ====================================================
>> This email is confidential and intended solely for the
use of the
>> individual or organisation to whom it is addressed. Any
opinions or
>> advice presented are solely those of the author and do
not necessarily
>> represent those of the Millward Brown Group of
Companies. If you are
>> not the intended recipient of this email, you should not
copy, modify,
>> distribute or take any action in reliance on it. If you
have received
>> this email in error please notify the sender and delete
this email
>> from your system. Although this email has been checked
for viruses
>> and other defects, no responsibility can be accepted for
any loss or
>> damage arising from its receipt or use.
>> ====================================================
>>
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards_at_honor.icsalabs.com
>> http://honor.icsalabs.com/mailman/listinfo/firewall-
wizards
>>
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards_at_honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 02 2004
Intro
