Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
3
Replies

PIX to PIX VPN, with one PIX behind another firewall

patrick.peters
Level 1
Level 1

‎11-09-2004 09:39 AM - edited ‎02-21-2020 01:26 PM

When we bring a new customer on board, we set up a VPN between that customer's network and ours. On our side, the tunnel endpoint is our PIX 515. On the customer side, it's a PIX 501. The tunnel is 3DES IPSEC. We require the customer site to allocate a static public IP address to us for the PIX's outside interface.

One of our customer sites is refusing to give us a public IP address. They want to put the PIX 501 behind their firewall and port forward traffic to us. I'm trying to assemble the description of what ports they need to forward. I'm sure they'll need to do port 500 (both UDP and TCP), but I'm not sure if there are others. Does anyone have a good list?

Thanks

Pat

Labels:
0 Helpful
3 Replies 3

pkapoor
Level 3
Level 3

‎11-09-2004 09:52 AM

UDP 500

and

ESP

Note:

ESP is a protocol and not a port. Since you are familiar with ACLs, the way to open ESP is instead of "access-list 101 permit ip ".....use "access-list 101 permit esp ".

You may need to open UDP 4500 if the PIX-501 is going to get PATed (and make sure that ISAKMP NAT-T is enabled).

0 Helpful

millergm38901
Level 1
Level 1
In response to pkapoor

‎11-10-2004 01:00 PM

use "access-list 101 permit esp ".

Is this also the way to allow VPN passthrough.

My pix 506e sits behind a SMC router that I'm told will not allow VPN traffic from outside to inside.

One individual in my building uses PCAnywhere to access his system behind the building router, then pings his home router (NetGear), and establishes the VPN connection that way (from inside to outside).

I've tried the same thing, but cannot achieve a VPN tunnel. Could it be that the 506e (6.2.2) doesn't allow VPN passthrough? Can this be configured?

Thanks

0 Helpful

pkapoor
Level 3
Level 3
In response to millergm38901

‎11-10-2004 01:59 PM

For IPSec VPN traffic to pass through any device that is filtering traffic, you need to have at least UDP port 500 and the ESP protocol permitted through. That way you will be able to build your VPN tunnel. All other data that flows over this tunnel is transparent to the device that is filtering.

Now pcAnywhere uses entirely different protocols and ports. I suppose that the building router (SMC router) permits pcAnywhere but not IPSec. So, what that other individual probably does is pcAnywhere's to his PC on the inside of the SMC router and then establishes a VPN tunnel outbound (relative to the SMC router) with the ping.(I suppose that his NetGear router has VPN enabled and that the SMC router permits IPSec outbound).

The PIX will permit IPSec pass through. You just need to open UDP port 500 and ESP. However, if the VPN tunnel is terminating on the PIX, then you do not have to open those ports.

If you have further doubts and/or questions, please draw a network topolgy diagram to make things more clear (in case I have not understood your network right).

0 Helpful
Customers Also Viewed These Support Documents