Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pass IPSec through PIX 506

Hope this is the right spot...I've done searches and foud posts that are close, but no solution that has worked for me....

Summary: My firewall is a PIX 506E. The other company is using Cisco routers on both ends to maintain the VPN. I have no access to their equipment.

The Issue

I have a vendor that has put a Cisco VPN device behind my firewall. They originally told me to make sure I could ping 4 IP addresses (they supplied) and all would be fine. I was able to setup my firewall to allow the pinging to the internet. However, now they say I am reaching their end of the VPN, but my firewall is blocking IPSec.

What do I need to do so I can allow this traffic to pass through my PIX?

Thanks in advance for any help.


Re: Pass IPSec through PIX 506

This is how I would do this:

1- Your pix 506E only has two physical interface, e0 and e1.

2- create a DMZ on your Pix506E via 802.1q and assign public

Ip address on the DMZ interface. For example, will be

the ip address of the DMZ and you assign the Cisco VPN device with an

IP address of,

3- create another DMZ1 on your Pix506E with 802.1q and

assign an IP address and give the Cisco vpn Device

internal ip address of

4- static (dmz,outside) netmask

5- access-list External permit udp 4-IP_address host eq 500 log

access-list External permit esp 4-ip-address host log

access-list External permit udp 4-ip-address host eq 4500 log

access-group External in interface outside

That way, you will protect your internal network from virus traversing

the VPN. This is classic design called sandwiching your VPN device

between the firewall.

CCIE Security

New Member

Re: Pass IPSec through PIX 506

For this solution to work, does it matter that the VPN device on my end is the one starting the connection? The VPN is established by certain traffic on my side going to the specific host.


Re: Pass IPSec through PIX 506

both side can initiate traffics without any

issues. This is because your DMZ has higher

priority than the "outside" interface.