cancel
Showing results for 
Search instead for 
Did you mean: 

PIX VPN Server behind Business Hub

Rog
Member

I spent most of Friday afternoon trying to work out why I couldnt get a VPN connection working to a new PIX firewall behind our business hub and then saw the post on the latest firmware having broken some VPN connections. To make sure I've got this right can anyone confirm -

 

1) What ports need to be opened to use an IPSEC Cisco VPN server behind the business hub?

(my homehub has this setup as an option in the firewall but for some reason the business hub only has PPTP. I've opened ports 500 and 4500 but cannot connect)

2) The 2-wire website states that the 2700 blocks the IP protocols necessary to use an IPSEC VPN  even when the firewall is configured correctly- is this correct?

3) Has the latest firmware broken any chance of getting the PIX functioning correctly? (BT Tech Support didnt seem to know about this)

 

Thanks for any help anyone can provide. Just as an aside - I've proven I can connect to the outside port of the PIX firewall from inside the business hub firewall so its definitely the business hub thats blocking things.

 

Roger.

11 REPLIES 11

a-hill
Grand Master

Rog just to confirm, do you have a single static IP or multiple static addresses?

 

1) Ports should be PPTP + 50, 51 and 500

 

2) Can you link to where the website says this? That statement all depends on the set up and if multiple or single IP's are being used.

 

3) The update hasn't broken any chance, again it depends on your specifics to give you the best method to get it working.

Rog
Member

Thanks a-hill

I added the extra ports but still cant connect. I currently have a single static IP but last week had also tried with multiple ips and giving the pix its own static IP. I have turned on NAT traversal, can browse out through the PIX, can connect to the PIX by VPN from inside the BT firewall but just cant connect from outside the BT firewall. I've tried with the PIX in the DMZ and still cant connect. I cant find the link on the 2wire website but will try and look this evening. If you have any bright ideas as to what I may have missed in the PIX config I'd really appreciate it 😉

Thanks

Roger.

alastair
Grand Guru
common ipsec ports are udp500 and udp4500. add them too
Message Edited by alastair on 30-03-2009 01:07 PM
=~~= All Glory to the Hypnotoad! =~~=

a-hill
Grand Master

Rog can you confirm what version of firmware your router is on? It'll be on Settings then System Info, we're looking for either 6.1.1.48 or 6.1.1.48.1

 

If it's 6.1.1.48 then there probably isn't really anything you can do, there was a VPN bug found which prompted the 48.1 release to happen. It seems to affect single and multiple IP's, your best bet is to call the helpdesk and have them send you a 5 series router.

 

If it's 6.1.1.48.1, then multiple IP's should be ok. OZ grabs the IPSec ports over the WAN IP, so a single static will be affected. If you have multiples, then each public IP has it's set of ports, and since only the WAN IP ports are used up, the no-NAT IP ports should be fine.

Rog
Member

Thanks A-hill

 

Its 6.1.1.48.1-enh.tm. I had tried last week when I had 5 ip addresse set up and still couldnt get it to work so Im note sure that the fix is working but I guess it definitely wont work with our current single IP address. I'll call support back and see what they say.

 

Roger.

Rog
Member
Thanks Alastair I already had these ones open

a-hill
Grand Master

Rog,

 

Once you have your IP's you'll need to reboot your router 1st of all so they can be applied to the routing from the HGR side. Log in to the router and go to Settings>Broadband>Link Configuration. Scroll to the bottom and enable the Public IP Address section (you've probably done this before but i'll run over it anyway Smiley Wink ). Save the settings off. Now it would be best if your red side WAN port of the PIX could be set to DHCP but not absolutely necessary. If DHCP is on, go to LAN>Nat & Address Allocation. Your PIX will be listed there, drop the Address Assignment box down and scroll to the very top and select Public (Select WAN IP Mapping), then drop the WAN IP Mapping box and choose the IP you want. Save the settings and then reboot your PIX to pick up the new IP. Test web through the PIX and go to www.whatismyip.com to make sure all is working. If that's ok, double check in the routers device list that it's showing with a public IP (this is crucial or port wont forward properly), if all is showing in the device list ok go to Firewall> Allow Applications, Pinholes and DMZ Mode. 1st section will ask you to choose a device, select the PIX, the page will refresh then go to the bottom and set it to Allow All Applications (DMZ+ Mode) and that should be it. Alternatively just add your port rules if that's really all you want to do. Run some queries on the port then go to the Logs tab and firwwall log to make sure the router is allowing them through (DMZ doesnt log any port requests) 

 

If you've assigned one of the public addresses manually to the WAN port of the PIX, then you can't enable port forwarding or DMZ until the device list of the router reflects this change. If your PIX still shows as on a private LAN address, then port forwarding won't work. You can ping the router or have the router ping the PIX to speed up the process, but DHCP is your quickest option.

Message Edited by a-hill on 30-03-2009 03:59 PM

Rog
Member

Thanks A-hill. I'd just configured and testedt he vpn connection when I got your update. It works now with multiple IP addresses. Just out of interest do you know when the update was pushed out as it wasnt working with multiple addresses on Friday on my hub - thats why I tried a single IP address.

 

I dont know if you have a feedback route for the support helpdesk but I spent an hour on the phone with a very helpful guy this afternoon but the information he was being given by colleagues was confused and in some cases wrong. Initiallly I was told the problem was with mutiple ip addresses and single were fine so the fault must lay with my vpn server. When I referred to your posts (mentioning no names) he was then told that the fault was with single ip addresses and I should try multiple. He couldnt send me a version 5 hub and siuggested if multiple didnt work to buy a 3rd party hub !

 

Unfortunately I now cant have the network layout I had planned but at least I can connect - thanks for your help.

a-hill
Grand Master

Rog,

 

do you know which department you spoke to, frontline technical support, ethernet support etc? The upgrades actually stopped about 2/3 weeks ago, so your router will already have been upgraded on the friday when you tried it. The only possible reason I could see that it didn't work is the device list issue where manually assigned IP's don't reflect on the device list straight away, so port access doesn't work until the proper info is displaying.

 

I'm happy to hear you've got it working, albiet in not quite the set up that you wanted which I can only apologise for.

Message Edited by a-hill on 31-03-2009 08:02 AM