I am looking for some basic guidelines for setting up a PIX 501 behind a NAT router. I've set up a few of them, but I seem to do it differently every time and I want to create a standard list of bullet points to hit every time I do one. Seems like no DSL providers around here offer bridged service anymore, so I have to make do behind their end user device, which is always some conglomeration of NAT router and firewall.
First off, what ports do I need forwarded to the PIX inbound for L2L VPN? Here is what I've been forwarding:
UDP 500 inbound > PIX
UDP 4000 inbound > PIX
Second, what do I need to do to ensure remote access to the PIX? I assume forwarding TCP 22 inbound > PIX would handle SSH, but are there any others I should forward?
I know some routers have the 'DMZ Host' feature which basically NATs an inside host directly to the Internet, but that usually also disables remote access to the DSL modem, which I want to retain if possible. I also want to be able to remotely manage the PIX without an IPSEC tunnel in case I need to troubleshoot a broken tunnel.
Any other changes I should make sure I make?