Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
3
Replies

allow ipsec traffic from outisde to inside

moises
Level 1
Level 1

‎11-13-2006 02:52 PM - edited ‎02-21-2020 02:43 PM

I am trying to allow ipsec traffic to a inside vpn device. I have a pix 506e with one public static IP and NAT inside.

thanks for any help

Moises Perez

Labels:
0 Helpful
3 Replies 3

Fernando_Meza
Level 7
Level 7

‎11-13-2006 03:28 PM

Hi .. because your device is behind the PIX then you need to use NAT-T ( nat traversal ) to allow Ipsec over UDP to traverse the PIX. Depending on the client your are using you will have to allow whatever ports are used for the encapsulation. for example Cisco VPN client uses UDP 4500 or TCP 10000 by default. An so in the case of cisco vpn client you only need to allow UDP 4500 or TCP 10000 on the access-list applied to the Inside and Outside interfaces. i.e

access-list Outside-In permit udp any host netmask 255.255.255.255 eq 4500

access-list Outside-In permit tcp any host netmask 255.255.255.255 eq 10000

access-group Outside-In in interface outside

access-list Inside-Out permit udp host any eq 4500

access-list Inside-Out permit tcp host any eq 10000

access-group Inside-Out in interface inside

I hope it helps .. please rate if it does !!!

0 Helpful

moises
Level 1
Level 1
In response to Fernando_Meza

‎11-14-2006 08:40 AM

I need to allow ipsec traffic from outside to inside VPN router. The issue is now that I have only one public static ip.

I can not add the first command because it overlaps with already mapped ips

static (inside,outside) x.x.x.x 192.168.1.51

access-list inbound permit esp any host x.x.x.x

access-list inbound permit udp any host x.x.x.x eq isakmp

Can I acomplish this with only one IP? TAC is saying no.

thx,

Moises

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to moises

‎11-14-2006 03:34 PM

Hi .. because your device is behind a PIX which does nat you need to use NAT-T ( Ipsec over UDP/TCP). If you have already a one to one static using the only public IP address available, then your only option is to use port forwading if it applies to your set up.

static (inside,outside) UDP 4500 4500 netmask 255.255.255.255

with port forwarding you can use one Public IP address and then redirect the traffic to inside devices as long as the ports are different .. in other words you can use the same public IP and redirect traffic on ports 80, 443,500,25 etc .. to 4 different servers .. again as long as the ports are different then this would be your only option if you can't get anotehr public IP.

I hope it helps .. please rate if it does !!!

0 Helpful
Customers Also Viewed These Support Documents