11-09-2004 09:39 AM - edited 02-21-2020 01:26 PM
When we bring a new customer on board, we set up a VPN between that customer's network and ours. On our side, the tunnel endpoint is our PIX 515. On the customer side, it's a PIX 501. The tunnel is 3DES IPSEC. We require the customer site to allocate a static public IP address to us for the PIX's outside interface.
One of our customer sites is refusing to give us a public IP address. They want to put the PIX 501 behind their firewall and port forward traffic to us. I'm trying to assemble the description of what ports they need to forward. I'm sure they'll need to do port 500 (both UDP and TCP), but I'm not sure if there are others. Does anyone have a good list?
Thanks
Pat
11-09-2004 09:52 AM
UDP 500
and
ESP
Note:
ESP is a protocol and not a port. Since you are familiar with ACLs, the way to open ESP is instead of "access-list 101 permit ip
You may need to open UDP 4500 if the PIX-501 is going to get PATed (and make sure that ISAKMP NAT-T is enabled).
11-10-2004 01:00 PM
use "access-list 101 permit esp
Is this also the way to allow VPN passthrough.
My pix 506e sits behind a SMC router that I'm told will not allow VPN traffic from outside to inside.
One individual in my building uses PCAnywhere to access his system behind the building router, then pings his home router (NetGear), and establishes the VPN connection that way (from inside to outside).
I've tried the same thing, but cannot achieve a VPN tunnel. Could it be that the 506e (6.2.2) doesn't allow VPN passthrough? Can this be configured?
Thanks
11-10-2004 01:59 PM
For IPSec VPN traffic to pass through any device that is filtering traffic, you need to have at least UDP port 500 and the ESP protocol permitted through. That way you will be able to build your VPN tunnel. All other data that flows over this tunnel is transparent to the device that is filtering.
Now pcAnywhere uses entirely different protocols and ports. I suppose that the building router (SMC router) permits pcAnywhere but not IPSec. So, what that other individual probably does is pcAnywhere's to his PC on the inside of the SMC router and then establishes a VPN tunnel outbound (relative to the SMC router) with the ping.(I suppose that his NetGear router has VPN enabled and that the SMC router permits IPSec outbound).
The PIX will permit IPSec pass through. You just need to open UDP port 500 and ESP. However, if the VPN tunnel is terminating on the PIX, then you do not have to open those ports.
If you have further doubts and/or questions, please draw a network topolgy diagram to make things more clear (in case I have not understood your network right).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide