Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
3
Replies

IP Sec tunnel to a firewall in DMZ of another firewall

mazars-cisco
Level 1
Level 1

‎02-10-2014 03:19 AM - edited ‎03-11-2019 08:43 PM

Hi,

We will share the Internet line with the building management. Building management have Cisco firewall 5510 and we will connect our Cisco firewall 5505 to the Building management firewall DMZ port. We have been given one public IP address to assign to our firewall.

My question is can we configure IPsec site-2-site VPN tunnel on our firewall to another site although this firewall is connecting to building management firewall DMZ port.

Thanks for your help.

Sethi

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎02-10-2014 05:00 AM

Hi,

Are they allocating a public IP address directly to your ASA5505 firewall or is this done through Static NAT on their ASA5510 firewall?

Either way you should be able to configure a L2L VPN from this ASA to another VPN device on some remote location.

If they are allocating your ASA a public IP address directly that you will be configuring in its interface then I would imagine the main things you would need to make sure is that the ASA5510 firewall admins allow UDP/500 and ESP through their firewall to the public IP address of your ASA5505. I presume they would not be doing any NAT for this IP address and would either be doing NAT0 or Static Identity NAT for your public IP address. (so it passes without NAT through their firewall)

If they are doing Static NAT on the ASA5510 I think they would also have to allow UDP/4500 through their firewall to your ASA5505 public IP address. In this case you might also need NAT Traversal configurations on the VPN devices.

- Jouni

0 Helpful

Marius Gunnerud
VIP
VIP

‎02-10-2014 05:02 AM

Yes,  but port 500 and 4500 have to be allowed through the managment firewall for this to work.  So make sure that they have an access list that permits those ports (if they haven't already allowed all traffic through that is.)

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

mazars-cisco
Level 1
Level 1

‎02-10-2014 05:11 AM

Thanks Guys for your help and feedback. I will implement this in few weeks time and will let you know.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card