Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

edw
New Member

Lan 2 Lan VPN through a firewall

Hi,

I have a PIX firewall at base and a Cisco 871W router on the road. Sometimes the Cisco will behind a firewall at location. What ports would I need open on a such a firewall to get L2LTP to work from my PIX to the 871 unit ?

Thanks

Ed

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Lan 2 Lan VPN through a firewall

Following URL gives you the ports required to be opened if it is a PPTP or L2TP connection:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Hope this helps..

Raj

6 REPLIES

Re: Lan 2 Lan VPN through a firewall

Hello Ed

Didnt get your question. Do you say that the cisco 871 W router will be behind a firewall ? Are you talking about L2TP tunnels or IPSEC ?

Raj

edw
New Member

Re: Lan 2 Lan VPN through a firewall

Hi,

Not sure - I sort of assumed IPSEC/L2TP is the same thing and then you have PPTP ??

The 871W will be behind a firewall but have a static external address. My end is fine as the PIX will be doing the connection to the 871W.. Does that make sense ?

Thanks

Ed

Re: Lan 2 Lan VPN through a firewall

Ed

I really donno why they are putting the 871 router behind a firewall.. Havent seen many designs like this. Dont they have an external router to terminate VPN connections ? or cant they terminate the VPN on the firewall ?

In any case, if you want IPSEC to work, the firewall must allow IP Protocols ESP (50), AH (51). You also need to allow IKE, which works on UDP 500.

access-list 100 permit esp any host 1.1.1.1

access-list 100 permit ahp any host 1..1.1.1

access-list 100 permit udp any host 1.1.1.1 eq isakmp

For L2TP and PPTP you have other ports.

Hope this helps.. all the best..

Raj

edw
New Member

Re: Lan 2 Lan VPN through a firewall

Is there a easy way for me to tel if its L2TP or IPSEC - sorry still on hols and not all here. I should now this myself as I coded the PIX. Back to work tomorrow - don't know what I'm going to be like :)

The reason its behind a firewall is simple. Some locations where my exhibition is touring may not have a IT team or may not be able to provide a internet connection that is infront of there own defenses - unfortantly it happens....

Thanks

Ed

Re: Lan 2 Lan VPN through a firewall

Ed..

This is a site to site tunnel right ? not remote access VPN ? If it is site-to-site, am sure it would be IPSEC.. you can see "crypto" commands on the PIX, to identify it as IPSEC. If it is remote access, it could be anything between IPSEC, L2TP, PPTP etc.. these are the standards used elsewhere.. If it is IPSEC, allow the ports that I had given you in my first post, and it should work then.. You also need to allow ICMP through, with the TCP/IP protocols given.

Hope this helps.. all the best..

Raj

Re: Lan 2 Lan VPN through a firewall

Following URL gives you the ports required to be opened if it is a PPTP or L2TP connection:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

Hope this helps..

Raj

462
Views
0
Helpful
6
Replies
CreatePlease to create content