Cisco VPN client through a PIX Firewall

Unanswered Question
Aug 9th, 2007

Hi, has anyone ever configured a pix to site between a local LAN switch and an internet broadband router to basically block all trafic except for outgoing vpn connections using cisco vpn client to a cisco vpn concentrator from pc's located on the local LAN.

If anyone has got this kind of setup working then it would be usefull to get an overview of how, I have searched the net but can't seem to find anything specific to what im trying to achieve.

The info im interested in is what specific protocols/ports need to be allowed through, any speatures that need to be enabled on the pix, etc.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 08/09/2007 - 09:43

The ipsec vpn ports which would need to be allowed through would be

udp 500

udp 4500

protocol 50 esp

You could simply create an access-list on your inside interface allowing only these ports outbound.

access-list inside permit udp any any eq 500

access-list inside permit udp any any eq 4500

access-list inside permit esp any any

access-group inside in interface inside

or more specifically

access-list inside permit udp any host eq 500

access-list inside permit udp any host eq 4500

access-list inside permit esp any host

access-group inside in interface inside

Actions

This Discussion