Pass IPSec through PIX 506

Unanswered Question
May 13th, 2008

Hope this is the right spot...I've done searches and foud posts that are close, but no solution that has worked for me....

Summary: My firewall is a PIX 506E. The other company is using Cisco routers on both ends to maintain the VPN. I have no access to their equipment.

The Issue

I have a vendor that has put a Cisco VPN device behind my firewall. They originally told me to make sure I could ping 4 IP addresses (they supplied) and all would be fine. I was able to setup my firewall to allow the pinging to the internet. However, now they say I am reaching their end of the VPN, but my firewall is blocking IPSec.

What do I need to do so I can allow this traffic to pass through my PIX?

Thanks in advance for any help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Tue, 05/13/2008 - 18:20

This is how I would do this:

1- Your pix 506E only has two physical interface, e0 and e1.

2- create a DMZ on your Pix506E via 802.1q and assign public

Ip address on the DMZ interface. For example, 1.1.1.1/30 will be

the ip address of the DMZ and you assign the Cisco VPN device with an

IP address of 1.1.1.2/30,

3- create another DMZ1 on your Pix506E with 802.1q and

assign an IP address 10.1.1.1/30 and give the Cisco vpn Device

internal ip address of 10.1.1.2/30.

4- static (dmz,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255

5- access-list External permit udp 4-IP_address host 1.1.1.2 eq 500 log

access-list External permit esp 4-ip-address host 1.1.1.2 log

access-list External permit udp 4-ip-address host 1.1.1.2 eq 4500 log

access-group External in interface outside

That way, you will protect your internal network from virus traversing

the VPN. This is classic design called sandwiching your VPN device

between the firewall.

CCIE Security

jcorirossi Wed, 05/14/2008 - 06:13

For this solution to work, does it matter that the VPN device on my end is the one starting the connection? The VPN is established by certain traffic on my side going to the specific host.

cisco24x7 Wed, 05/14/2008 - 06:51

both side can initiate traffics without any

issues. This is because your DMZ has higher

priority than the "outside" interface.

Actions

This Discussion