How to allow VPN to PIX behind another router?

Unanswered Question

I currently have a PIX 501 with remote users on VPN via the Cisco VPN Client. I have a wireless router that I'd like to put outside my PIX to allow visiting clients/associates wireless internet access without internal LAN access (those that need internal LAN can VPN through the PIX). Is this possible? If so, what ports (or other things?) on the router do I need to forward to the PIX to enable that? We connect via IPSec over UDP.


Mike Trout

Neuma, Inc.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Thu, 01/31/2008 - 19:27

You can put a router in front of the Pix and still terminate Remote Access VPN Connection. Make sure that the Pix outside IP Address has a routable IP Address or you can have a Private IP Address but need to NAT on the router in front of the Pix.

Ports/Protocols to Open on the Router.


ESP - Protocol 50

NAT-T - UDP 4500

IPSEC Over UDP - UDP 10000 (Default)

IPSEC Over TCP - TCP 10000 (Default)

I hope it helps.



** Please rate all helpful posts **

Thanks for the reply, Arul.

The wireless router I have is a basic one (D-Link Rangebooster G model WBR-2310) so I think I will have to NAT. I plan on setting up a reserved IP like for the PIX, and will forward the ports you mentioned - 500, 4500 & 10000 - to it. What is this ESP Protocol? I saw a reference to it in another posting, but don't know what it is. Is it like a port I need to forward? I don't know how to forward protocols.

Would it work better if I just put the PIX in a DMZ?

While my ISP (AT&T) gives me a block of I think 5 IPs I don't think the simple router is able to talk to a 2nd address, but I could be wrong.

Thanks again,

Mike Trout

Neuma, Inc.

d-mark Fri, 02/01/2008 - 11:37


ESP is a protocol like tcp or icmp, it's protocol number is 50.

I would put the pix into the dmz if possible. And if there is another free public, I would put the access-point next to the pix into the dmz. and let the access-point do the nat for the wireless network.



Thanks for the reply Mark.

I'm not sure I can (without additional hardware) do the rest the way you suggest.

What I have for hardware is:

ADSL modem (speedstream 5200? w/1 ethernet)

Cisco Pix 501

D-Link wireless router WBR-2310 (think simple home wireless router w/4 port switch)

24-port ethernet switch for the LAN w/~12 PC's on it.

I doubt the D-Link router can deal with more than 1 WAN IP (though if it can, I would be interested). I'm not using the rest of the block of IPs anyways and although the PIX may be able to use them, I don't know of a use for them at this time.

Currently I have:

ADSL modem --> PIX --> Switch

(with no wireless)

What I envision is:

ADSL modem --> D-Link router --> PIX --> Switch

I just need to ensure remote users can get to the PIX from the internet. We're using the Cisco VPN client (4.8.something IIRC).

The Router would be the DHCP server for wireless (as you suggest), with a reserved IP for the PIX, and the PIX is currently and will be DHCP server for the internal LAN.

If I put the PIX in the DMZ on the D-Link, do I then have to worry about forwarding ports?


Mike Trout

Neuma, Inc.


This Discussion