Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
5
Replies

VPN through Router

edw
Level 1
Level 1

‎07-23-2007 04:18 PM - last edited on ‎03-25-2019 05:38 PM by Community Manager

Hi,

I was wondering if there is anything I need to do to a router which is infront of my PIX515E.

The setup I have is a PIX515E with a 3660 Router infront of this before the internet. On this router is the public IP addresses which are then nat'ed to ip on the PIX. So for instance my PIX has 10.10.10.1 as i IP on the outside interface card and on the 3660 it will have a static entry to map this to its public ip.

Is there anything special or extra I need to do on the router to get the traffic through as my client is not connecting. Is there any test i can do to see how far its getting ??

Thanks

Ed

Labels:
0 Helpful
5 Replies 5

Fernando_Meza
Level 7
Level 7

‎07-23-2007 04:52 PM

Hi .. are you trying to connect to the PIX using cisco vpn client ..? if that is the case then you might need to apply an access list to the internal and external interface of the router ... i.e

1.-

access-list 100 permit udp any host eq 500

access-list 100 permit udp any host eq 4500

access-list 100 permit esp any host

Add any other access for traffic initiated from the internet and then apply this access list to the outside interface of the router.

2.-

access-list 110 permit udp host 10.10.10.1 any eq 500

access-list 110 permit udp host 10.10.10.1 any eq 4500

access-list 110 permit esp host 10.10.10.1 any

add any other outbound access you want to allow and then apply the access list to the internal interface of the router.

You might also need to enable nat traversal on the PIX by adding isakmp nat-traversal 20 on the PIX

I hope it helps .. please rate it if it does !!!

0 Helpful

edw
Level 1
Level 1
In response to Fernando_Meza

‎07-24-2007 02:54 AM

Hi,

The router has a very vanillia setup - traffic of all types flows through it without problem ? Unless the router blocks certain ports by default ??

It seems to be becuase I'm trying to NAT to a logical interface on the PIX. I was trying to seperate traffic from each other using virtual interfaces and VLANs. I'm not sure how secure it is giving a PIX a internet IP ??? Can't people hack these boxes easily when they are configured like that ?

Thanks

Ed

0 Helpful

rajatsetia
Level 1
Level 1
In response to edw

‎07-25-2007 09:15 PM

Hi Ed

First thing that you asked is how to trace traffic ?

-> Check your PIX syslog messages and see if client traffic is passing through your router and hitting PIX interface ?

->You can check the netflow traffic on the router by enabling "ip route-cache flow " and you can check the current traffic by "show ip cache flow". If you want to get the netflow data collected offline, you need to have some netflow analyser tool.

and you can troubleshoot where the traffic is getting bloacked and why ? could be any access-list that you have applied on router etc

Second thing that you have asked is :- is it safe to give public ip on pix outside interface ?

Yes, you can do this setup without any problem but you need to be clear about what trafic you are going to permit through PIX.

As fernando said if its client to site vpn setup you may need to enable NAT Traversal, as VPN and NAT by their basic nature donnt gel just like water and oil :)

best bet will be, give your pix a public ip and define your secuirty policies clearly and filter most of traffic on router only like private ips from internet etc.

HTH, please rate if it does

rgds

0 Helpful

edw
Level 1
Level 1
In response to rajatsetia

‎07-26-2007 02:52 AM

Hi,

I managed to get it working. I in the end gave the public IP to the physical interface. I was wondering if its slightly safer giving it to the logical interface ? But I wasn't able to get this to work.

My access lists are pretty clear now. I'm pretty anal on these things - but the access list on the router are very vanilla. You say filter private ip from the internet on the router? What do you mean by this ??

Also on the PIX how do I limit traffic to each group ?? I use the crypto isakmp match address command but then traffic drops completely and I get a group does not match SA errors?

Thanks

Ed

0 Helpful

rajatsetia
Level 1
Level 1
In response to edw

‎07-26-2007 04:57 AM

Hi

I was talking about various security controls which you can apply on internet facing router itself like private ips are not supposed to be present on internet cloud so filter them out on the router itslef i.e. block all the traffic hitting your internet router with private ips as source ...

similarly you donnt expect public ips allocated to your organisation to come as source, any internet incoming to your router , these public ips will always remain as destination only so block them as source ips at router (anti- spoofing technique)..

you can dig more about these controls , search for keywords "security best practises" at cisco.

rgds

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card