Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
365
Views
0
Helpful
1
Replies

Enable IPSEC

acira
Level 1
Level 1

‎04-13-2004 09:55 AM - edited ‎02-21-2020 01:06 PM

How do I allow IPSEC through PIX 515 firewall for versions 4.4 and 6.2?

Labels:
0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎04-13-2004 10:23 AM

For pix v6.2 if you want to have IPSec flow through, but not to, the pix you will need to allow udp traffic between the two ipsec peers for ike (that is source and dest ports are eq 500), and you will need to allow the esp and/or ah protocols between the two endpoints (permit ah ..... and permit esp .....) on both pix interfaces that will send and receive the ike and ipsec traffic. This is beacuse you do not know which end will initiate the traffic.

That is in addition to the static statements that will be needed to allow the traffic to reach an inside host.

As an example:

1. Say hosts 10.20.2.2 and 10.30.3.3 are the two endpoints and your pix interface names are in and out. Let's say that NAT will not be used, so that the inside server, 10.20.2.2 is seen as 10.20.2.2 by the other host.

2. Your inside interface acl would look like this:

access-list inside_acl permit udp host 10.20.2.2 eq 500 host 10.30.3.3 eq 500

access-list inside_acl permit esp host 10.20.2.2 host 10.30.3.3

access-list inside_acl permit ah host 10.20.2.2 host 10.30.3.3

3. Your outside interface acl would look similar except that the source and dest hosts would be reversed.

For pix v4.4 you can't use access-lists, but the conduit, static, and outbound/apply statements would need to be configured in a similar fashion.

I hope this helps.

0 Helpful
Customers Also Viewed These Support Documents