Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
0
Helpful
1
Replies

Remote Access vpn connection via pix to VPN Concentrator on Dmz

Go to solution
Joseph Adekoya
Level 1
Level 1

‎07-08-2010 12:54 AM

hello everyone,

Can you pls help out with the vpn design, I have the public on the vpn concentrator 3000  connected to the pix dmz (sec30), inside interface (sec100)  connected to Campus and the other end of my vpn concentrator connectted to another interface on the pix with sec 80. Is the design okay and how do i allow ike and ipsec traffic through the the pix to the the concentrator on the pix DMZ.

Thank you

deeperdeeper

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-09-2010 04:58 AM

If the VPN Concentrator is configured with public ip address, then you would need to configure the static NAT to itself as follows:

For example if VPN Concentrator public interface is 200.1.1.1, on the ASA, you would configure:

static (dmz,outside) 200.1.1.1 200.1.1.1 netmask 255.255.255.255

Then you would need to configure ACL on the ASA outside interface to allow the following:

- ESP protocol

- UDP/500

- UDP/4500

The above is the default IPSec ports, however, VPN Concentrator also supports UDP/10000 and TCP/10000, so if you use those ports, you might want to enable those as well.

Then for the clear text traffic from the private interface of the VPN Concentrator towards the inside network, you would also need to configure static statements and ACL to allow those clear traffic after it is being decrypted.

BTW, why don't you just terminate the VPN on the PIX itself?

Just FYI, VPN Concentrator is coming EOL as per the following EOL notification:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

Hope that helps.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-09-2010 04:58 AM

If the VPN Concentrator is configured with public ip address, then you would need to configure the static NAT to itself as follows:

For example if VPN Concentrator public interface is 200.1.1.1, on the ASA, you would configure:

static (dmz,outside) 200.1.1.1 200.1.1.1 netmask 255.255.255.255

Then you would need to configure ACL on the ASA outside interface to allow the following:

- ESP protocol

- UDP/500

- UDP/4500

The above is the default IPSec ports, however, VPN Concentrator also supports UDP/10000 and TCP/10000, so if you use those ports, you might want to enable those as well.

Then for the clear text traffic from the private interface of the VPN Concentrator towards the inside network, you would also need to configure static statements and ACL to allow those clear traffic after it is being decrypted.

BTW, why don't you just terminate the VPN on the PIX itself?

Just FYI, VPN Concentrator is coming EOL as per the following EOL notification:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents