Re: vpn (3015) box off pix firewall - need help with configurati
i did put the public on the 4th interface and the private into a inside switch. the public gateway is the pix interface ip and the gateway for the insid eis the inside router. i do have a route pointing all vpn traffic (dhcp pool ip address) to go to the vpn. i opened port 500/udp and authenication does work. but in order for data to transfer back and forth, do i just open all from the inside to the vpn? this is where i am stuck.
> access-list vpn permit udp any host 184.108.40.206 eq isakmp
> access-list vpn permit esp any host 220.127.116.11
> access-group vpn in interface outside
Of course if you currently have an ACL on your outside interface, just add the two lines I specified to it, don't create a new ACL like I have.
Opening port 500 (ISAKMP) means you'll be able to build a tunnel and authenticate, but you need to allow ESP packets through for any traffic to flow after the tunnel is built. ESP sits right on top of IP, it is not a TCP or UDP protocol, that's why the access-list looks a little different.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...