Setting up a PIX behind a NAT router for Remote Access and VPN

Unanswered Question
Dec 12th, 2007
User Badges:

Hi all,


I am looking for some basic guidelines for setting up a PIX 501 behind a NAT router. I've set up a few of them, but I seem to do it differently every time and I want to create a standard list of bullet points to hit every time I do one. Seems like no DSL providers around here offer bridged service anymore, so I have to make do behind their end user device, which is always some conglomeration of NAT router and firewall.


First off, what ports do I need forwarded to the PIX inbound for L2L VPN? Here is what I've been forwarding:


UDP 500 inbound > PIX

UDP 4000 inbound > PIX


Second, what do I need to do to ensure remote access to the PIX? I assume forwarding TCP 22 inbound > PIX would handle SSH, but are there any others I should forward?


I know some routers have the 'DMZ Host' feature which basically NATs an inside host directly to the Internet, but that usually also disables remote access to the DSL modem, which I want to retain if possible. I also want to be able to remotely manage the PIX without an IPSEC tunnel in case I need to troubleshoot a broken tunnel.


Any other changes I should make sure I make?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion