Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn (3015) box off pix firewall - need help with configuration

I keep reviewing acl's and pix vpn configurations but i am not sure if the apply to my configuration.

i want to put my vpn - cisco 3015 - on my 4th interface of my pix firewall. i allowed port 500/upd open and authenication works but i can not get information to and from my network.

do i just allow 500/udp from my internal network back to my vpn - i have never done this before (relatively new to pix) and I can't find any documentation that pertain to my situation.

any help would be greatly appreciated!


  • Other Security Subjects
New Member

Re: vpn (3015) box off pix firewall - need help with configurati

Hi rbinc

I suppose you have been connected the external interface for VPN3015 to 4th pix interface. I suppose you have connected the internal interface to your internal network., so.

You need to put the default tunnel gateway to a route into your network, and a default router to your pix

In addition, you need to put an static route in your insde router pointing to the vpn3015 ip address interface in order to reach the client address pool assigned to remote clients.

I hope this could help you.

New Member

Re: vpn (3015) box off pix firewall - need help with configurati

i did put the public on the 4th interface and the private into a inside switch. the public gateway is the pix interface ip and the gateway for the insid eis the inside router. i do have a route pointing all vpn traffic (dhcp pool ip address) to go to the vpn. i opened port 500/udp and authenication does work. but in order for data to transfer back and forth, do i just open all from the inside to the vpn? this is where i am stuck.

Cisco Employee

Re: vpn (3015) box off pix firewall - need help with configurati

In the PIX you'll need something like:

> static (4th-int,outside) netmask

> access-list vpn permit udp any host eq isakmp

> access-list vpn permit esp any host

> access-group vpn in interface outside

Of course if you currently have an ACL on your outside interface, just add the two lines I specified to it, don't create a new ACL like I have.

Opening port 500 (ISAKMP) means you'll be able to build a tunnel and authenticate, but you need to allow ESP packets through for any traffic to flow after the tunnel is built. ESP sits right on top of IP, it is not a TCP or UDP protocol, that's why the access-list looks a little different.

This widget could not be displayed.