Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN device behind PIX

I have a Cisco 1700 router hanging off an ethernet port on my PIX. The router needs to be able to create a VPN through the PIX and yes it has to go through the 1700. If I have the device connected directly to port ethernet 5 what commands do I need to use to allow the VPN to go through the PIX?


Community Member

Re: VPN device behind PIX

You will first need a static NAT for the vpn device, then you will need to add an acl:

access-list VPN-IN permit ah any host x.x.x.x

access-list VPN-IN permit esp any host x.x.x.x

access-list VPN-IN permit udp any host x.x.x.x eq isakmp

the 'host x.x.x.x' should be the global address (NATTED Address) of the cisco 1700.

Assuming you are terminating with another VPN device on the internet you would want to apply the ACL to the outside interface.

If this is for a site-to-site you can change the keyword 'any' in ACL with 'host x.x.x.x' which would be the other vpn device. If this is for a remote-access VPN then leave the 'any' keyword, as would not know the ip of clients connecting.

CreatePlease to create content