08-09-2007 09:38 AM - edited 03-11-2019 03:55 AM
Hi, has anyone ever configured a pix to site between a local LAN switch and an internet broadband router to basically block all trafic except for outgoing vpn connections using cisco vpn client to a cisco vpn concentrator from pc's located on the local LAN.
If anyone has got this kind of setup working then it would be usefull to get an overview of how, I have searched the net but can't seem to find anything specific to what im trying to achieve.
The info im interested in is what specific protocols/ports need to be allowed through, any speatures that need to be enabled on the pix, etc.
Thanks in advance.
08-09-2007 09:43 AM
The ipsec vpn ports which would need to be allowed through would be
udp 500
udp 4500
protocol 50 esp
You could simply create an access-list on your inside interface allowing only these ports outbound.
access-list inside permit udp any any eq 500
access-list inside permit udp any any eq 4500
access-list inside permit esp any any
access-group inside in interface inside
or more specifically
access-list inside permit udp any host
access-list inside permit udp any host
access-list inside permit esp any host
access-group inside in interface inside
08-09-2007 09:47 AM
Thanks for the prompt reply, ill try that out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide