Access to vpn,from internal network to external network-configuration pix

pesanchez2002 · ‎05-07-2009

I have one firewall pix of face to internet. I need to give access to a computer

in my internal network to a a ip address in the external network for

one vpn conection

I read and, i think that the configuration is the following:

I don't know the type of vpn.

i.i.i.i = ip address of PC in internal network

e.e.e.e = ip address VPN destination in external network

VPN Ipsec

---------

access-list dmzx extended permit udp host i.i.i.i host e.e.e.e eq 500

access-list dmzx extended permit ip host i.i.i.i host e.e.e.e eq 50 (esp)

access-list dmzx extended permit ip host i.i.i.i host e.e.e.e eq 51 (AH)

VPN lp2tp

--------

The same configuration

VPN ssl

-------

access-list dmzx extended permit udp host i.i.i.i host e.e.e.e eq 1194

VPN pptp

-------

access-list dmzx extended permit tcp host i.i.i.i host e.e.e.e eq 1723 (Control channel)

access-list dmzx extended permit tcp host i.i.i.i host e.e.e.e eq 47 (gre)

John Blakley · ‎05-07-2009

It's been a long time since I've worked on a pix, but I believe you can do:

fixup protocol pptp

If the host can get on the internet, you should be able to use the above command without any extra configuration. Now, if you have an inside acl that exists (you're showing a dmz acl), then you'd need to allow whatever type ports you need. And it really depends on what type of client you're using as to what ports to open.

HTH,

John

HTH, John *** Please rate all useful posts ***