Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPSEC VPN through PIX

Status
Not open for further replies.
sghezzi

sghezzi

Technical User
Apr 7, 2003
56
DE
I have PIX 6.1 and I would like to let it allow an IPSEC VPN between an external cisco router and an internal cisco router. Is it possible?
How do I have to configure PIX?
I guess I have to add a static rule to map a public IP to the private ip of out cisco router and then I have to set some inbound ACLs, which one? what traffic?
Is it secure?

Does anybody have suggestions?

thanks
Silvia
 
Sort by date Sort by votes
HI.

> Is it possible?
Yes.

> Is it secure?
No.
Well, it depends.
Such a configuration is delegating the network security to the routers. The pix cannot control the VPN traffic that way.
Why not use the pix as VPN peer, instead of the internal router?

> I guess I have to add a static rule to map a public IP to the private ip of out cisco router and then I have to set some inbound ACLs, which one? what traffic?
Correct.
IPSec works over:
UDP port 500 (isakmp)
IP protocol 50 (esp)
So:
access-list ... permit udp ..... eq 500
access-list ... permit esp .....


Yizhar Hurwitz
 
Upvote 0 Downvote
Many thanks Yzhar, everything clear.

we cannot use PIX as a peer because we need to implement dinamic routing between to possible VPN path to our remote peer, and I guess this isn't possible through PIX, right?

 
Upvote 0 Downvote
HI.

> we cannot use PIX as a peer because we need to implement dinamic routing between to possible VPN ... right?
I don't know.
The info is not detailed enough to understand your scenario.

Anyway, something seems to me wrong here with a VPN between the routers, because it is simply a bypass of your firewall.

Maybe you can do it with static routes (you can then "redistribute" the static routes on each side), or maybe a redisign of the network can make it more logical.


Yizhar Hurwitz
 
Upvote 0 Downvote
Yzhar, can you clarify a bit what you mean with redistribution of static routes on each side?
which side? are you talking about PIX?
I didn't get it :-(

anyway we are thinking to redesign our network and we are currently thinking of having the router in front of PIX as an endpoint of VPNs from other institutions.
Why the endpoint on the router and not on PIX? Because, as you saw in my other post, we ahev the problem of having connection with two ISPs (for redundancy) and dinamic routing, which PIX cannot implement.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
846
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
360
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
287
WhosYourDiffie
WhosYourDiffie
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
265
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top