Cisco Support Community
Community Member

Setting up a PIX behind a NAT router for Remote Access and VPN

Hi all,

I am looking for some basic guidelines for setting up a PIX 501 behind a NAT router. I've set up a few of them, but I seem to do it differently every time and I want to create a standard list of bullet points to hit every time I do one. Seems like no DSL providers around here offer bridged service anymore, so I have to make do behind their end user device, which is always some conglomeration of NAT router and firewall.

First off, what ports do I need forwarded to the PIX inbound for L2L VPN? Here is what I've been forwarding:

UDP 500 inbound > PIX

UDP 4000 inbound > PIX

Second, what do I need to do to ensure remote access to the PIX? I assume forwarding TCP 22 inbound > PIX would handle SSH, but are there any others I should forward?

I know some routers have the 'DMZ Host' feature which basically NATs an inside host directly to the Internet, but that usually also disables remote access to the DSL modem, which I want to retain if possible. I also want to be able to remotely manage the PIX without an IPSEC tunnel in case I need to troubleshoot a broken tunnel.

Any other changes I should make sure I make?


Re: Setting up a PIX behind a NAT router for Remote Access and V

Generally it is recommended to forward UDP 500, 4500, 10,000 ports on the PIX for VPN to work fine. For configuring PIX behind a NAT router and connect to remote PIX

CreatePlease to create content