VPN through Router

Unanswered Question
Jul 23rd, 2007
User Badges:


I was wondering if there is anything I need to do to a router which is infront of my PIX515E.

The setup I have is a PIX515E with a 3660 Router infront of this before the internet. On this router is the public IP addresses which are then nat'ed to ip on the PIX. So for instance my PIX has as i IP on the outside interface card and on the 3660 it will have a static entry to map this to its public ip.

Is there anything special or extra I need to do on the router to get the traffic through as my client is not connecting. Is there any test i can do to see how far its getting ??



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Fernando_Meza Mon, 07/23/2007 - 16:52
User Badges:
  • Gold, 750 points or more

Hi .. are you trying to connect to the PIX using cisco vpn client ..? if that is the case then you might need to apply an access list to the internal and external interface of the router ... i.e


access-list 100 permit udp any host eq 500

access-list 100 permit udp any host eq 4500

access-list 100 permit esp any host

Add any other access for traffic initiated from the internet and then apply this access list to the outside interface of the router.


access-list 110 permit udp host any eq 500

access-list 110 permit udp host any eq 4500

access-list 110 permit esp host any

add any other outbound access you want to allow and then apply the access list to the internal interface of the router.

You might also need to enable nat traversal on the PIX by adding isakmp nat-traversal 20 on the PIX

I hope it helps .. please rate it if it does !!!

edw Tue, 07/24/2007 - 02:54
User Badges:


The router has a very vanillia setup - traffic of all types flows through it without problem ? Unless the router blocks certain ports by default ??

It seems to be becuase I'm trying to NAT to a logical interface on the PIX. I was trying to seperate traffic from each other using virtual interfaces and VLANs. I'm not sure how secure it is giving a PIX a internet IP ??? Can't people hack these boxes easily when they are configured like that ?



rajatsetia Wed, 07/25/2007 - 21:15
User Badges:
  • Bronze, 100 points or more

Hi Ed

First thing that you asked is how to trace traffic ?

-> Check your PIX syslog messages and see if client traffic is passing through your router and hitting PIX interface ?

->You can check the netflow traffic on the router by enabling "ip route-cache flow " and you can check the current traffic by "show ip cache flow". If you want to get the netflow data collected offline, you need to have some netflow analyser tool.

and you can troubleshoot where the traffic is getting bloacked and why ? could be any access-list that you have applied on router etc

Second thing that you have asked is :- is it safe to give public ip on pix outside interface ?

Yes, you can do this setup without any problem but you need to be clear about what trafic you are going to permit through PIX.

As fernando said if its client to site vpn setup you may need to enable NAT Traversal, as VPN and NAT by their basic nature donnt gel just like water and oil :)

best bet will be, give your pix a public ip and define your secuirty policies clearly and filter most of traffic on router only like private ips from internet etc.

HTH, please rate if it does


edw Thu, 07/26/2007 - 02:52
User Badges:


I managed to get it working. I in the end gave the public IP to the physical interface. I was wondering if its slightly safer giving it to the logical interface ? But I wasn't able to get this to work.

My access lists are pretty clear now. I'm pretty anal on these things - but the access list on the router are very vanilla. You say filter private ip from the internet on the router? What do you mean by this ??

Also on the PIX how do I limit traffic to each group ?? I use the crypto isakmp match address command but then traffic drops completely and I get a group does not match SA errors?



rajatsetia Thu, 07/26/2007 - 04:57
User Badges:
  • Bronze, 100 points or more


I was talking about various security controls which you can apply on internet facing router itself like private ips are not supposed to be present on internet cloud so filter them out on the router itslef i.e. block all the traffic hitting your internet router with private ips as source ...

similarly you donnt expect public ips allocated to your organisation to come as source, any internet incoming to your router , these public ips will always remain as destination only so block them as source ips at router (anti- spoofing technique)..

you can dig more about these controls , search for keywords "security best practises" at cisco.



This Discussion