Cisco Support Community
Community Member

Firewall config for VPN concentrator behind the firewall?

I was wondering if anyone has a config for the firewall (what ports need opened) when using IP Sec and IKE private key exchange when the VPN concentrator is behind the firewall. The documentation for the concentrator says to open IP ports 50 and 51. I also was wondering if there is anything else I need to configure on the firewall-like do I need to restrict NAT for these packets?

All help is greatly appreciated!

Cisco Employee

Re: Firewall config for VPN concentrator behind the firewall?

pub IP pub IP in out

Corp net------------VPN3K-------------------PIX------------Net------- VPN clients

1) On the PIX you must define a static for the VPN3K public IP. This is the

peer IP that the clients or other VPN 3Ks will connect too.

static(inside,outside) <3K_global_ip> <3K_pub_IP> netmask xxxx 0 0

(note cannot be a PAT address)

2) define the access-lists for the clients that will connect to the VPN 3K. This is for standard IKE/IPSEC (UDP 500=IKE, Protocol 50=ESP IPSec)

access-list acl_in permit UDP host <3K_global_ip> eq 500

access-list acl_in permit 50 permit host <3K_global_ip>

3) If you are using NAT Transparency on the clients you further need to open

up those ports on the PIX (NAT-T=UDP 4500, and TCP IPsec over TCP=10000 (default port).

On the VPN 3000 enable NAT Transparency under Config|System|Tunnelling Protocols|IPsec|NAT Transparency.

The following link contains lot's of info on how to connect PIX to VPN 3Ks in different modes:

Hope this helps


CreatePlease to create content