05-13-2008 03:09 PM - edited 03-11-2019 05:44 AM
Hope this is the right spot...I've done searches and foud posts that are close, but no solution that has worked for me....
Summary: My firewall is a PIX 506E. The other company is using Cisco routers on both ends to maintain the VPN. I have no access to their equipment.
The Issue
I have a vendor that has put a Cisco VPN device behind my firewall. They originally told me to make sure I could ping 4 IP addresses (they supplied) and all would be fine. I was able to setup my firewall to allow the pinging to the internet. However, now they say I am reaching their end of the VPN, but my firewall is blocking IPSec.
What do I need to do so I can allow this traffic to pass through my PIX?
Thanks in advance for any help.
05-13-2008 06:20 PM
This is how I would do this:
1- Your pix 506E only has two physical interface, e0 and e1.
2- create a DMZ on your Pix506E via 802.1q and assign public
Ip address on the DMZ interface. For example, 1.1.1.1/30 will be
the ip address of the DMZ and you assign the Cisco VPN device with an
IP address of 1.1.1.2/30,
3- create another DMZ1 on your Pix506E with 802.1q and
assign an IP address 10.1.1.1/30 and give the Cisco vpn Device
internal ip address of 10.1.1.2/30.
4- static (dmz,outside) 1.1.1.2 1.1.1.2 netmask 255.255.255.255
5- access-list External permit udp 4-IP_address host 1.1.1.2 eq 500 log
access-list External permit esp 4-ip-address host 1.1.1.2 log
access-list External permit udp 4-ip-address host 1.1.1.2 eq 4500 log
access-group External in interface outside
That way, you will protect your internal network from virus traversing
the VPN. This is classic design called sandwiching your VPN device
between the firewall.
CCIE Security
05-14-2008 06:13 AM
For this solution to work, does it matter that the VPN device on my end is the one starting the connection? The VPN is established by certain traffic on my side going to the specific host.
05-14-2008 06:51 AM
both side can initiate traffics without any
issues. This is because your DMZ has higher
priority than the "outside" interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide