Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
5
Replies

Cisco PIX 515 and WatchGuard Firebox MUVPN

apteryx73
Level 1
Level 1

‎09-09-2004 11:06 PM - edited ‎02-20-2020 11:37 PM

Hi,

My company is using two tier firewall with WathcGuard Firebox as the first tier and Cisco PIX 515 behind it. I'm trying to use the WatchGuard MUVPN to connect to my internal LAN which reside on the inside zone of Cisco PIX but somehow I can't access to the internal LAN even though I allow any to any in my rules of the PIX.

But there's no problem for me to access to all the interface of the WatchGuard Firebox. Is there any thing I need to configure on the Cisco PIX?

Thanks for any advise.

Regards

0 Helpful
5 Replies 5

a.awan
Level 4
Level 4

‎09-09-2004 11:26 PM

To initiate a connection from a lower security interface (connected to the WatchGuard in your case) to a higher security interface (your internal LAN) on a PIX firewall you need to have static translations for all hosts to whom access is required and an access list permitting that access. You might want to go through this document for the configuration details:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

0 Helpful

apteryx73
Level 1
Level 1
In response to a.awan

‎09-10-2004 12:10 AM

Hi awan,

ok...will try it out....thanks!!!

Regards

0 Helpful

apteryx73
Level 1
Level 1
In response to a.awan

‎09-20-2004 05:49 PM

Hi Awan,

I had tried to configure as per your advise but still could not get it work. The WathcGurad MUVPN still can't access the network behind the Cisco PIX. Here's what I've configured:

.

.

access-list 102 permit tcp host 192.168.91.100 any

access-list 102 permit icmp host 192.168.91.100 any echo

access-list 102 permit icmp any any echo-reply

access-list 102 permit udp host 192.168.91.100 any

.

.

.

access-group 102 in interface outside

192.168.91.100 is the IP address I've given for the MUVPN client.

here's my network diagram,

Mobile user(WatchGurad MUVPN client) -> Internet -> (Public IP)WatchGuard Firebox III(192.168..x.x) -> (192.168.x.x)Cisco PIX 515E(10.90.x.x) -> Internat network (10.90.x.x/16)

I was told that in order for it to works, I need to build a IPsec tunnel from the WatchGuard Firebox to the Cisco PIX, would appreciate your further advise. Thanks!!!

Regards

0 Helpful

a.awan
Level 4
Level 4
In response to apteryx73

‎09-22-2004 10:46 AM

There can be two solutions in your case and which one you go with depends on what you want to achieve. If the requirement is only to access a limited applications (like telnet, www, smtp) over the VPN then the way i described it earlier is probably your best bet. Do note that you also need statics in addition to the access-list to be able to access to an inside devide from an outside interface.

If your requirement is basically to have an extension of the LAN over the VPN then the best thing to do will be to try to terminate the VPN session directly on the PIX firewall.

0 Helpful

apteryx73
Level 1
Level 1
In response to a.awan

‎09-23-2004 05:16 PM

Hi Awan,

Thanks for the advise. Since I wanted an extension of the LAN over VPN, will choose the second option you have suggested.

Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card