Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote Access vpn connection via pix to VPN Concentrator on Dmz

hello everyone,

Can you pls help out with the vpn design, I have the public on the vpn concentrator 3000  connected to the pix dmz (sec30), inside interface (sec100)  connected to Campus and the other end of my vpn concentrator connectted to another interface on the pix with sec 80. Is the design okay and how do i allow ike and ipsec traffic through the the pix to the the concentrator on the pix DMZ.

Thank you

deeperdeeper

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Remote Access vpn connection via pix to VPN Concentrator on

If the VPN Concentrator is configured with public ip address, then you would need to configure the static NAT to itself as follows:

For example if VPN Concentrator public interface is 200.1.1.1, on the ASA, you would configure:

static (dmz,outside) 200.1.1.1 200.1.1.1 netmask 255.255.255.255

Then you would need to configure ACL on the ASA outside interface to allow the following:

- ESP protocol

- UDP/500

- UDP/4500

The above is the default IPSec ports, however, VPN Concentrator also supports UDP/10000 and TCP/10000, so if you use those ports, you might want to enable those as well.

Then for the clear text traffic from the private interface of the VPN Concentrator towards the inside network, you would also need to configure static statements and ACL to allow those clear traffic after it is being decrypted.

BTW, why don't you just terminate the VPN on the PIX itself?

Just FYI, VPN Concentrator is coming EOL as per the following EOL notification:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

Hope that helps.

1 REPLY
Super Bronze

Re: Remote Access vpn connection via pix to VPN Concentrator on

If the VPN Concentrator is configured with public ip address, then you would need to configure the static NAT to itself as follows:

For example if VPN Concentrator public interface is 200.1.1.1, on the ASA, you would configure:

static (dmz,outside) 200.1.1.1 200.1.1.1 netmask 255.255.255.255

Then you would need to configure ACL on the ASA outside interface to allow the following:

- ESP protocol

- UDP/500

- UDP/4500

The above is the default IPSec ports, however, VPN Concentrator also supports UDP/10000 and TCP/10000, so if you use those ports, you might want to enable those as well.

Then for the clear text traffic from the private interface of the VPN Concentrator towards the inside network, you would also need to configure static statements and ACL to allow those clear traffic after it is being decrypted.

BTW, why don't you just terminate the VPN on the PIX itself?

Just FYI, VPN Concentrator is coming EOL as per the following EOL notification:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

Hope that helps.

295
Views
0
Helpful
1
Replies