Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
736
Views
0
Helpful
4
Replies

How to allow VPN to PIX behind another router?

miket
Level 1
Level 1

‎01-31-2008 01:41 PM - edited ‎02-21-2020 03:31 PM

I currently have a PIX 501 with remote users on VPN via the Cisco VPN Client. I have a wireless router that I'd like to put outside my PIX to allow visiting clients/associates wireless internet access without internal LAN access (those that need internal LAN can VPN through the PIX). Is this possible? If so, what ports (or other things?) on the router do I need to forward to the PIX to enable that? We connect via IPSec over UDP.

Thanks,

Mike Trout

Neuma, Inc.

Labels:
0 Helpful
4 Replies 4

ajagadee
Cisco Employee
Cisco Employee

‎01-31-2008 07:27 PM

You can put a router in front of the Pix and still terminate Remote Access VPN Connection. Make sure that the Pix outside IP Address has a routable IP Address or you can have a Private IP Address but need to NAT on the router in front of the Pix.

Ports/Protocols to Open on the Router.

ISAKMP - UDP 500

ESP - Protocol 50

NAT-T - UDP 4500

IPSEC Over UDP - UDP 10000 (Default)

IPSEC Over TCP - TCP 10000 (Default)

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

0 Helpful

miket
Level 1
Level 1
In response to ajagadee

‎02-01-2008 07:37 AM

Thanks for the reply, Arul.

The wireless router I have is a basic one (D-Link Rangebooster G model WBR-2310) so I think I will have to NAT. I plan on setting up a reserved IP like 192.168.0.2 for the PIX, and will forward the ports you mentioned - 500, 4500 & 10000 - to it. What is this ESP Protocol? I saw a reference to it in another posting, but don't know what it is. Is it like a port I need to forward? I don't know how to forward protocols.

Would it work better if I just put the PIX in a DMZ?

While my ISP (AT&T) gives me a block of I think 5 IPs I don't think the simple router is able to talk to a 2nd address, but I could be wrong.

Thanks again,

Mike Trout

Neuma, Inc.

0 Helpful

d-mark
Level 1
Level 1
In response to miket

‎02-01-2008 11:37 AM

Hi,

ESP is a protocol like tcp or icmp, it's protocol number is 50.

I would put the pix into the dmz if possible. And if there is another free public, I would put the access-point next to the pix into the dmz. and let the access-point do the nat for the wireless network.

regards

Mark

0 Helpful

miket
Level 1
Level 1
In response to d-mark

‎02-01-2008 01:03 PM

Thanks for the reply Mark.

I'm not sure I can (without additional hardware) do the rest the way you suggest.

What I have for hardware is:

ADSL modem (speedstream 5200? w/1 ethernet)

Cisco Pix 501

D-Link wireless router WBR-2310 (think simple home wireless router w/4 port switch)

24-port ethernet switch for the LAN w/~12 PC's on it.

I doubt the D-Link router can deal with more than 1 WAN IP (though if it can, I would be interested). I'm not using the rest of the block of IPs anyways and although the PIX may be able to use them, I don't know of a use for them at this time.

Currently I have:

ADSL modem --> PIX --> Switch

(with no wireless)

What I envision is:

ADSL modem --> D-Link router --> PIX --> Switch

I just need to ensure remote users can get to the PIX from the internet. We're using the Cisco VPN client (4.8.something IIRC).

The Router would be the DHCP server for wireless (as you suggest), with a reserved IP for the PIX, and the PIX is currently and will be DHCP server for the internal LAN.

If I put the PIX in the DMZ on the D-Link, do I then have to worry about forwarding ports?

Thanks,

Mike Trout

Neuma, Inc.

0 Helpful
Customers Also Viewed These Support Documents