QuickVPN Through A Cisco PIX To WRV54G

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by tdorrington, Sep 29, 2006.

  1. tdorrington

    tdorrington LI Guru Member

    Have WRV54G at home with quickvpn working fine from Panera Bread, Starbucks, etc. Want to VPN from my offices which have Cisco PIX firewalls as connection to Internet to my home network. I have set WRV54G config to that suggested in QuickVPN Setup Guide (great doc, thanks very much), last changes being to turn off DHCP in home network and deleting VPN tunnel declared in WRV54G. On PC in office it connects to WRV54G at home, activates policy, and hangs on verifying network.

    Have read other threads and some Google items and it looks like this connection through a PIX may not be possible. Has anyone been able to do this and if so what else might I be missing? Any help / suggestions most welcome.
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    I've got a pix 501 at home along with a wrv54g and wrv200 and I've "yet" to establis a quickvpn session when I have eithe router behind the pix.

    On the pix, I've tried
    -sysopt connection permit-ipsec
    - fixup protocol udp 500
    - fixup protocol tcp 443

    I "still" can't get quickvpn to pass through the pix.

    Eric (Stewart), any suggestions?

  3. ifican

    ifican Network Guru Member

    I have yet to test quick vpn to a device behind a pix. I am currently working on getting it to work through a netscreen, but can pull out the pix if this continues to be an issue and start playing with it. What comes to mind off hand is the sysopt command if i remember correctly is not needs for inbound passthru traffic. It is used i believe to inherently allow inbound traffic through the pix that get decryted on the outside interface where a tunnel is terminated. I am uncertain at this point if it affects vpn passthru traffic that terminates past the pix in the inbound direction. Also i think you need fixup protocol esp-ike and need to make sure you have the correct mapping for the inside IP that the ike traffic needs to be passed too. Again if you continue to have issues making it work, or we are unable to get this string resolved in a reasonable amount of time, let me know and ill put on hold what i am working on and throw my hat into this one and see if we cant get it going.
  4. DocLarge

    DocLarge Super Moderator Staff Member Member

    The more, the merrier...

    Even running through all of the fixup protocols I could think of, there's still no traffic with quickvpn (incoming/outgoing).

    Maybe this weekend I may put a little more time into it...
  5. tdorrington

    tdorrington LI Guru Member

    As the originator of this item I might not have made it clear enough. I am trying to go outbound through a Pix to the WRV54G at my home to set up the tunnel and then responses coming from home back through the Pix to my office PC. I am not trying to contact a WRV54G located inside of the Pix.

    also the VPN guide says HTTPS must be enabled on the router because quickvpn needs it. I have gone through the entire WRV54G config and can find no reference to such a setting. Can someone clue me in as to where this can be enabled?
  6. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    {Edit: Tdorrington, I re-read your final post and realize that your WRV54G is the "remote" device...maybe on a public IP address and that your client PC is behind a PIX at work. That said, the notes below with respect to turning off/on the correct fixups (advanced protocol handling rules) are still valid despite my "picture" of your network being back-asswards}

    The fixups are unnecessary.

    I've tried forwarding port 443 (and 60443) to the WRVxxx <-- (whatever flavour of QuickVPN endpoint I'm using at the moment), and configured access-lists to allow the above traffic as well as ESP (ie: IKE Phase II) traffic through the PIX to no avail. I think the issue is that the PIX has no way of identifying the VPN endpoint behind it since it can't properly inspect the SPIs negotiated for the ESP header around the encrypted payload since it never sees (what to it is) a valid Phase I exchange.

    BTW, you will definely want to turn *off* the fixup for ESP-IKE since otherwise the PIX won't let "orphaned" ESP traffic which has not resulted from a valid/full Phase I exchange through the firewall. This compounds the issues above, but this can be mitigated somewhate by using the 'sysopt connection permit-ipsec' command which allows the ESP traffic to bypass checking by the inbound ACL.

    Anyway, I've tried to get the thing to work out of idle curiosity and have come away frustrated a couple of times. I really don't think this can be made to work through a PAT'ng device. If, on the other hand, you could do one-to-one NAT, this would work. Unfortunately I obtain only one (static) IP address from my ISP so I have no way of verifying this.

    Right now my config looks like:
    Internet(DSL) <-->PIX 501 <--->RV042<-DMZ->Linux mail server
    ....................................................<-LAN->inside stuff

    Not much help I know but....

  7. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    If the WRV54G is on a public IP address you're in luck. This should work fine. I no longer have a WRV54G but I seem to remember that there was a setup item whereby you could setup the device for remote administration via https. I believe this is what is being referred to in the Guide. Without this setting the device will not accept TCP port 443 (https) traffic from the outside. Also make sure you are using the latest working firmware for the device since it can support TCP port 60443 as well. The 1.0.40 version of the QuickVPN client can be configured to use either 443 or 60443.

    Anybody else?

  8. DocLarge

    DocLarge Super Moderator Staff Member Member

    The "https" entry is a little misleading (I wondered why everyone was saying https had to be enabled). I think when the quickvpn setup guide was moved over from old linksysinfo site and reposted it on the new site, the section I'd started in the guide on how to get the RV082 configured to use quickvpn was inadvertently omitted. The RV082 requires https to be enabled to use quickvpn (when we were running the old website, a user emailed me with that information).

    Https does "not" have to be enabled on the WRV54G in order to used quickvpn. I run my wrv54g with "http" and always connect with quickvpn. Funny enough, when I put my wrv54g behind my Netgear DG834G, I can connect to other vpn routers with no problems (I hate to admit, Netgear does a better job with their vpn devices in some of their product lines) to include allowing you to connect out with quickvpn while a tunnel is running. Under normal circumstances, a quickvpn client connection can't be formed while an IPSEC tunnel is running (hmmm)

    Getting back on track, I'm going to put my PIX back on and try this again; now that I see I'm not the only one pissed with this, I can check in with others and see if there's any progress being made...

  9. ifican

    ifican Network Guru Member

    I have to say that i have experienced the same thing, i have an active ipsec tunnel running to a wrv200 from a netgear vpn router and can also bring up a quick vpn tunnel from behind that same deivce to strangely enough the same wrv200.

    As far as this issue goes, I too will start down this road. Hopefully we can work collectively to get this resolved. I have to admit however the pix will do some funny things with anything that it seems to think is one way traffic no matter what interface it originates on. I am going to start by attempting to connect through the pix to a public ip'd linksys router, if this works I will then move the position of the pix to the front end (public ip) and attempt to quickvpn to a nat'ed linksys router inside. I dont anticipate having any input of any kind until early next week but will post as soon as i have a chance to test or an answer along the way.
  10. ifican

    ifican Network Guru Member

    Ok i need to make this quick as i am already behind schedule, however the good news is quickvpn works from behind a pix. I can only speak to you from pix firewall version 6.3(5) code. There are 2 things that need to happen and one thing I am going to hypothesize on, maybe Eric can clerify. The 2 things that have to happen for the pix to pass outbound quickvpn traffic is:

    fixup protocol esp-ike and
    permit inbound esp from the IP that you are attemtping to connect too.

    Now tdorringotn in your case you are going to have to check with the network admin to see if he / she will do that for you but it does work (depending on the firewall software version being run). Ok for my small hypothesis, I do not know for sure but i have a sneaking suspision that if the pix is being used to terminate a remote tunnel of anykind, (isakmp turned on on the outside interface), that quickvpn will cease to function.
  11. tdorrington

    tdorrington LI Guru Member

    Many thanks for all the responses to the Post I generated. In particular, thanks to Ifican for your last one that I will now try to get in place. Some of the discussion went above my knowledge as I have never programmed a Cisco Pix. I use a third party guru to program and install Cisco at each of my three churches and I will now forward this series of replies to get his involvement in getting over this hurdle. I will come back with whatever happens as soon as I can make it happen. Again, many thanks to all. This is my first exposure to this web site and I am certainly impressed and will keep using in the future when hopefully I can try to help other Linksys users.
  12. ifican

    ifican Network Guru Member

    Well hopefully you can convey that info to your admin and they can get it working for you, Eric and Doc needs to be given the credit as all i did is take the foundation they both laid and worked out from there.

    As a side note i have been working to get quickvpn to work from the outside in (from the pix's perspective) where the server sits inside the pix. I have gotten close as the linksys vpn device shows the authentication and isakmp exchange, however as soon as ESP starts it stops. I have to agree with both Eric and Doc that this is not possible, i have not yet given up but am getting close. I have even gone to the point of port forwarding all traffic from the pix to the linksys vpn router and still no luck, in doing that i have lost connectivity to the pix so i cant check logs now but i know the network is still up because i can get to devices inside the pix. Slightly frustrated yes .....
  13. ifican

    ifican Network Guru Member


    Ok ladies and gents,

    Until further indepth testing can be done i dont know all of the ramifications of doing, however it is possible to make quickvpn work initiated from outside of the pix to a quickvpn router on the inside of the pix. To keep a long story short, make sure the following is turned off:

    no fixup protocol esp-ike
    no isakmp nat-traversal

    also and this is a big also, you need to effectively create a one to one nat mapping by configuring the outside interface to forward all traffic to your linksys router:

    static (inside,outside) interface "routers ip here" netmask

    side effects:

    you will loose the ability to manage your pix device from the outside interface and secondly, i have yet to determine if any other host on the inside via a different ip looses the ability to connect. I will look into this when time permits, good luck to all,

  14. ifican

    ifican Network Guru Member

    Ok information for what its worth. When implementing the above, you will loose connectivity to any other host you have besides anything behind the quickvpn router. In my case the rest of my network sits behind the quickvpn so every server and host had no issue, tested by putting other hosts on the pix, the other host lost connectivity out, well actually they still sent traffic out but it did not know how to get back to the origination host. Use it as you will, if anyone has any questions feel free to ask or PM, i will answer when i can.
  15. DocLarge

    DocLarge Super Moderator Staff Member Member

    Good one, ifican. I'll put my pix back online and give this a try. Right now, I have a netgear dg834g as my gateway router with my wrv200 behind on it's own subnet. I'll let you guys know how I fare...

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice