https://community.cisco.com/t5/network-security/pass-ipsec-through-pix-506/m-p/940268#M937794 <HTML><HEAD></HEAD><BODY><P>both side can initiate traffics without any </P><P>issues. This is because your DMZ has higher</P><P>priority than the "outside" interface.</P></BODY></HTML> Wed, 14 May 2008 13:51:35 GMT cisco24x7 2008-05-14T13:51:35Z https://community.cisco.com/t5/network-security/pass-ipsec-through-pix-506/m-p/940265#M937791 <P>Hope this is the right spot...I've done searches and foud posts that are close, but no solution that has worked for me....</P><P></P><P>Summary: My firewall is a PIX 506E. The other company is using Cisco routers on both ends to maintain the VPN. I have no access to their equipment.</P><P></P><P>The Issue</P><P>I have a vendor that has put a Cisco VPN device behind my firewall. They originally told me to make sure I could ping 4 IP addresses (they supplied) and all would be fine. I was able to setup my firewall to allow the pinging to the internet. However, now they say I am reaching their end of the VPN, but my firewall is blocking IPSec. </P><P></P><P>What do I need to do so I can allow this traffic to pass through my PIX?</P><P></P><P>Thanks in advance for any help.</P> Mon, 11 Mar 2019 12:44:30 GMT https://community.cisco.com/t5/network-security/pass-ipsec-through-pix-506/m-p/940265#M937791 jcorirossi 2019-03-11T12:44:30Z https://community.cisco.com/t5/network-security/pass-ipsec-through-pix-506/m-p/940266#M937792 <HTML><HEAD></HEAD><BODY><P>This is how I would do this:</P><P></P><P>1- Your pix 506E only has two physical interface, e0 and e1.</P><P></P><P>2- create a DMZ on your Pix506E via 802.1q and assign public</P><P>Ip address on the DMZ interface. For example, 1.1.1.1/30 will be</P><P>the ip address of the DMZ and you assign the Cisco VPN device with an</P><P>IP address of 1.1.1.2/30,</P><P></P><P>3- create another DMZ1 on your Pix506E with 802.1q and</P><P>assign an IP address 10.1.1.1/30 and give the Cisco vpn Device </P><P>internal ip address of 10.1.1.2/30. </P><P></P><P>4- static (dmz,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255</P><P></P><P>5- access-list External permit udp 4-IP_address host 1.1.1.2 eq 500 log</P><P> access-list External permit esp 4-ip-address host 1.1.1.2 log</P><P> access-list External permit udp 4-ip-address host 1.1.1.2 eq 4500 log</P><P> access-group External in interface outside</P><P></P><P>That way, you will protect your internal network from virus traversing</P><P>the VPN. This is classic design called sandwiching your VPN device</P><P>between the firewall.</P><P></P><P>CCIE Security</P></BODY></HTML> Wed, 14 May 2008 01:20:36 GMT https://community.cisco.com/t5/network-security/pass-ipsec-through-pix-506/m-p/940266#M937792 cisco24x7 2008-05-14T01:20:36Z https://community.cisco.com/t5/network-security/pass-ipsec-through-pix-506/m-p/940267#M937793 <HTML><HEAD></HEAD><BODY><P>For this solution to work, does it matter that the VPN device on my end is the one starting the connection? The VPN is established by certain traffic on my side going to the specific host.</P></BODY></HTML> Wed, 14 May 2008 13:13:31 GMT https://community.cisco.com/t5/network-security/pass-ipsec-through-pix-506/m-p/940267#M937793 jcorirossi 2008-05-14T13:13:31Z https://community.cisco.com/t5/network-security/pass-ipsec-through-pix-506/m-p/940268#M937794 <HTML><HEAD></HEAD><BODY><P>both side can initiate traffics without any </P><P>issues. This is because your DMZ has higher</P><P>priority than the "outside" interface.</P></BODY></HTML> Wed, 14 May 2008 13:51:35 GMT https://community.cisco.com/t5/network-security/pass-ipsec-through-pix-506/m-p/940268#M937794 cisco24x7 2008-05-14T13:51:35Z