Lan 2 Lan VPN through a firewall

Answered Question
Jan 7th, 2009
User Badges:

Hi,


I have a PIX firewall at base and a Cisco 871W router on the road. Sometimes the Cisco will behind a firewall at location. What ports would I need open on a such a firewall to get L2LTP to work from my PIX to the 871 unit ?


Thanks


Ed

Correct Answer by sachinraja about 8 years 2 months ago

Following URL gives you the ports required to be opened if it is a PPTP or L2TP connection:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml


Hope this helps..


Raj

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sachinraja Wed, 01/07/2009 - 11:04
User Badges:
  • Red, 2250 points or more

Hello Ed


Didnt get your question. Do you say that the cisco 871 W router will be behind a firewall ? Are you talking about L2TP tunnels or IPSEC ?


Raj

edw Wed, 01/07/2009 - 11:49
User Badges:

Hi,


Not sure - I sort of assumed IPSEC/L2TP is the same thing and then you have PPTP ??


The 871W will be behind a firewall but have a static external address. My end is fine as the PIX will be doing the connection to the 871W.. Does that make sense ?


Thanks


Ed

sachinraja Wed, 01/07/2009 - 12:19
User Badges:
  • Red, 2250 points or more

Ed


I really donno why they are putting the 871 router behind a firewall.. Havent seen many designs like this. Dont they have an external router to terminate VPN connections ? or cant they terminate the VPN on the firewall ?


In any case, if you want IPSEC to work, the firewall must allow IP Protocols ESP (50), AH (51). You also need to allow IKE, which works on UDP 500.


access-list 100 permit esp any host 1.1.1.1

access-list 100 permit ahp any host 1..1.1.1

access-list 100 permit udp any host 1.1.1.1 eq isakmp


For L2TP and PPTP you have other ports.


Hope this helps.. all the best..


Raj

edw Wed, 01/07/2009 - 12:42
User Badges:

Is there a easy way for me to tel if its L2TP or IPSEC - sorry still on hols and not all here. I should now this myself as I coded the PIX. Back to work tomorrow - don't know what I'm going to be like :)


The reason its behind a firewall is simple. Some locations where my exhibition is touring may not have a IT team or may not be able to provide a internet connection that is infront of there own defenses - unfortantly it happens....


Thanks


Ed

sachinraja Wed, 01/07/2009 - 13:16
User Badges:
  • Red, 2250 points or more

Ed..


This is a site to site tunnel right ? not remote access VPN ? If it is site-to-site, am sure it would be IPSEC.. you can see "crypto" commands on the PIX, to identify it as IPSEC. If it is remote access, it could be anything between IPSEC, L2TP, PPTP etc.. these are the standards used elsewhere.. If it is IPSEC, allow the ports that I had given you in my first post, and it should work then.. You also need to allow ICMP through, with the TCP/IP protocols given.


Hope this helps.. all the best..


Raj

Actions

This Discussion