Cisco Support Community
Community Member

Enable IPSEC

How do I allow IPSEC through PIX 515 firewall for versions 4.4 and 6.2?


Re: Enable IPSEC

For pix v6.2 if you want to have IPSec flow through, but not to, the pix you will need to allow udp traffic between the two ipsec peers for ike (that is source and dest ports are eq 500), and you will need to allow the esp and/or ah protocols between the two endpoints (permit ah ..... and permit esp .....) on both pix interfaces that will send and receive the ike and ipsec traffic. This is beacuse you do not know which end will initiate the traffic.

That is in addition to the static statements that will be needed to allow the traffic to reach an inside host.

As an example:

1. Say hosts and are the two endpoints and your pix interface names are in and out. Let's say that NAT will not be used, so that the inside server, is seen as by the other host.

2. Your inside interface acl would look like this:

access-list inside_acl permit udp host eq 500 host eq 500

access-list inside_acl permit esp host host

access-list inside_acl permit ah host host

3. Your outside interface acl would look similar except that the source and dest hosts would be reversed.

For pix v4.4 you can't use access-lists, but the conduit, static, and outbound/apply statements would need to be configured in a similar fashion.

I hope this helps.

CreatePlease to create content