Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
290
Views
0
Helpful
3
Replies

Pass IPSec through PIX 506

jcorirossi
Level 1
Level 1

‎05-13-2008 03:09 PM - edited ‎03-11-2019 05:44 AM

Hope this is the right spot...I've done searches and foud posts that are close, but no solution that has worked for me....

Summary: My firewall is a PIX 506E. The other company is using Cisco routers on both ends to maintain the VPN. I have no access to their equipment.

The Issue

I have a vendor that has put a Cisco VPN device behind my firewall. They originally told me to make sure I could ping 4 IP addresses (they supplied) and all would be fine. I was able to setup my firewall to allow the pinging to the internet. However, now they say I am reaching their end of the VPN, but my firewall is blocking IPSec.

What do I need to do so I can allow this traffic to pass through my PIX?

Thanks in advance for any help.

Labels:
0 Helpful
3 Replies 3

cisco24x7
Level 6
Level 6

‎05-13-2008 06:20 PM

This is how I would do this:

1- Your pix 506E only has two physical interface, e0 and e1.

2- create a DMZ on your Pix506E via 802.1q and assign public

Ip address on the DMZ interface. For example, 1.1.1.1/30 will be

the ip address of the DMZ and you assign the Cisco VPN device with an

IP address of 1.1.1.2/30,

3- create another DMZ1 on your Pix506E with 802.1q and

assign an IP address 10.1.1.1/30 and give the Cisco vpn Device

internal ip address of 10.1.1.2/30.

4- static (dmz,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255

5- access-list External permit udp 4-IP_address host 1.1.1.2 eq 500 log

access-list External permit esp 4-ip-address host 1.1.1.2 log

access-list External permit udp 4-ip-address host 1.1.1.2 eq 4500 log

access-group External in interface outside

That way, you will protect your internal network from virus traversing

the VPN. This is classic design called sandwiching your VPN device

between the firewall.

CCIE Security

0 Helpful

jcorirossi
Level 1
Level 1
In response to cisco24x7

‎05-14-2008 06:13 AM

For this solution to work, does it matter that the VPN device on my end is the one starting the connection? The VPN is established by certain traffic on my side going to the specific host.

0 Helpful

cisco24x7
Level 6
Level 6
In response to jcorirossi

‎05-14-2008 06:51 AM

both side can initiate traffics without any

issues. This is because your DMZ has higher

priority than the "outside" interface.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card