I do have pix firewalls deployed across my network. a sample site is attached in diagram. since i am new to pix world, with less knowledge, please advice me how to allow my users behind 10.2.0.0 subnet to connect to their own corporate vpns. some of them need to connect to MS vpn - domain abc(pptp) and someone need to connect to a cisco pix vpn - domain xyz(ipsec) remote access vpn. what should be my concerns :
1. IP address allocation from other side?
2. security concerns?
how can i allow requests to multiple, multi-protocol VPNs thru my firewall?
anyone who did this similar setup, please advise me. I do have the authority to make whatever changes required in PIX, this box is still in test phase.
These are the standard ports used for IPSEC/PPTP etc:
IPSEC: please open the following on the PIX:
UDP 4500 & UDP 500 - ISAKMP/NAT-T
AH / ESP IP access
TCP 443 - SSL VPN (if any)
you can also add the sysopt commands for IPSEC on your firewall.
Are there any ACL defined on the inside of the firewall? IF yes, you need to add the above, or it really doesnt matter. But the best practice anyway is to add ACl on the inside interface too !!
Also, enable split tunneling on the vpn concentrator if possible and tunnel ONLY the traffic that is required to go on the IPSEC tunnel... if you tunnel everything (which is ON by default), there are chances that any rogue packet flooding on your VPN network.. You can allocate a seperate IP pool for IPSEC VPN users and give the required permission on the VPN concentrator. This is always preferred over giving the IP pool from the same LAN network on the destination.
Hope this helps..Try this and let us know... rate replies if found useful..
is there any step-by-step config guide i can work on my firewall. BTW, i do not have any support from the other side vpn (both MS pptp and cisco Ipsec), so 0 chance to modify on others network.
i am just investigating the chance modifying commands on my firewall allow my inside users (10.2.0.0 subnet) to access their corporate vpn. I got a general idea from your e-mail, but stuck the actual config.
Please let me inf you can assist me with a sample config or URL
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...