Solved: Re: Ports for Site to site behind another PIX

neff2k · ‎06-20-2005

Have a client who we are going to be setting up a site to site VPN. The remote site is behind another PIX firewall which has private IP's on the inside. Beside the static nat, which ports need to be open in order to do a site to site?

pkapoor · ‎06-20-2005

If the VPN tunnel is terminating on PIX-B, then PIX-A needs to be opened for the following ports (in both directions - inbound and outbound).

- Protocol ESP (that is protocol 50)

- UDP port 500

- UDP port 4500

So, the ACL commands on PIX-A will be:

access-list outside_ACL permit udp IP_of_SiteA-PIX IP_of_PIX-B eq 500

access-list outside_ACL permit udp IP_of_SiteA-PIX IP_of_PIX-B eq 4500

access-list outside_ACL permit esp IP_of_SiteA-PIX IP_of_PIX-B

That should do the trick.

View solution in original post

mostiguy · ‎06-20-2005

Are you creating it to that pix, or a pix behind it? UDP 500 is isakmp, and ESP is ip protocol 50. If you are doing nat traversal, then you want udp 4500 open as well.

neff2k · ‎06-20-2005

Lets say site "A" is the main site. Site "B" is the remote. Site A is simply a PIX connected to a router with a T1. So no problems there. Site "B" Has a T1 to a router, with a PIX(Lets Call "PIX-A"" behind the router. We are placing another lets call it "PIX-B" behind "PIX-A". So the company that owns PIX-A is wanting to know which ports need to be opened for traffic to "PIX-B".

pkapoor · ‎06-20-2005