Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

allow ipsec traffic from outisde to inside

I am trying to allow ipsec traffic to a inside vpn device. I have a pix 506e with one public static IP and NAT inside.

thanks for any help

Moises Perez

3 REPLIES

Re: allow ipsec traffic from outisde to inside

Hi .. because your device is behind the PIX then you need to use NAT-T ( nat traversal ) to allow Ipsec over UDP to traverse the PIX. Depending on the client your are using you will have to allow whatever ports are used for the encapsulation. for example Cisco VPN client uses UDP 4500 or TCP 10000 by default. An so in the case of cisco vpn client you only need to allow UDP 4500 or TCP 10000 on the access-list applied to the Inside and Outside interfaces. i.e

access-list Outside-In permit udp any host netmask 255.255.255.255 eq 4500

access-list Outside-In permit tcp any host netmask 255.255.255.255 eq 10000

access-group Outside-In in interface outside

access-list Inside-Out permit udp host any eq 4500

access-list Inside-Out permit tcp host any eq 10000

access-group Inside-Out in interface inside

I hope it helps .. please rate if it does !!!

New Member

Re: allow ipsec traffic from outisde to inside

I need to allow ipsec traffic from outside to inside VPN router. The issue is now that I have only one public static ip.

I can not add the first command because it overlaps with already mapped ips

static (inside,outside) x.x.x.x 192.168.1.51

access-list inbound permit esp any host x.x.x.x

access-list inbound permit udp any host x.x.x.x eq isakmp

Can I acomplish this with only one IP? TAC is saying no.

thx,

Moises

Re: allow ipsec traffic from outisde to inside

Hi .. because your device is behind a PIX which does nat you need to use NAT-T ( Ipsec over UDP/TCP). If you have already a one to one static using the only public IP address available, then your only option is to use port forwading if it applies to your set up.

static (inside,outside) UDP 4500 4500 netmask 255.255.255.255

with port forwarding you can use one Public IP address and then redirect the traffic to inside devices as long as the ports are different .. in other words you can use the same public IP and redirect traffic on ports 80, 443,500,25 etc .. to 4 different servers .. again as long as the ports are different then this would be your only option if you can't get anotehr public IP.

I hope it helps .. please rate if it does !!!

94
Views
0
Helpful
3
Replies