Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trying to get the VPN in this Cisco Pix to work w/ pfsense.

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      elementalwindx
      last edited by

      I'm using PFSense 2.1 beta snapshots

      I'm having an issue with this pfsense that is load balancing 2 wan's on this network. There is a cisco pix on this network that needs to be able to show its connecting only thru WAN A, and it's trying to connect on both WAN A and B. Unfortunately I cannot touch the pix as it's dealing with the server vendor we have to use. This is the email he sent me trying to figure out how to fix this issue.

      This is in regards to the VPN Tunnel that is down. We have a PIX Firewall using WAN IP 192.168.168.1, that should be NAT’d to WAN A to establish the IPSEC tunnel. I’m seeing this IP change from WAN A to WAN B. You need to make sure that you’re Natting us only to WAN A. Also, be sure there is no filtering/blocking port 500 for IPSEC.

      I'm trying to figure out exactly how to accomplish this. In the port forward section I have added a rule as such: If WAN A, Proto TCP/UDP, src *, dest *, dest port 500, nat ip 192.168.168.1 nat ports * . I've told it to reflect this port in the rules and it does.

      I've also added a rule in the firewall rules under LAN for any tcp/udp with port 500 to go thru gateway WAN A.

      They still cannot seem to get the vpn to connect. They say it is timing out. :/

      The IP of the pfsense is 192.168.168.168
      I ping the ip 192.168.168.1 on LAN and I get a response…

      PING 192.168.168.1 (192.168.168.1) from 192.168.168.168: 56 data bytes
      64 bytes from 192.168.168.1: icmp_seq=0 ttl=255 time=0.181 ms
      64 bytes from 192.168.168.1: icmp_seq=1 ttl=255 time=0.102 ms
      64 bytes from 192.168.168.1: icmp_seq=2 ttl=255 time=0.102 ms

      --- 192.168.168.1 ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 0.102/0.128/0.181/0.037 ms

      Apparently this is a site to site vpn tunnel. Not quite sure how I can test whether this is working or not without calling them over and over and asking "does it work now?"

      1 Reply Last reply Reply Quote 0
      • E
        elementalwindx
        last edited by

        I've even setup a rule in the firewall rules saying any data coming from 192.168.168.1 will go out on WAN A, and they still say it does not work. :/ wtf?

        1 Reply Last reply Reply Quote 0
        • M
          Metu69salemi
          last edited by

          Is that rule top-of-the-list or is there any other rule which may "catch" traffic before this intended rule?

          1 Reply Last reply Reply Quote 0
          • E
            elementalwindx
            last edited by

            @Metu69salemi:

            Is that rule top-of-the-list or is there any other rule which may "catch" traffic before this intended rule?

            It's top of the list.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.