Solved

Symantec VPN 100 behind a CISCO PIX 515

Posted on 2003-11-14
7
558 Views
Last Modified: 2013-11-16
My client needs to set up a Symantec FW/VPN 100 on their network which is behind a CISCO PIX 515.   The VPN uses Dynamic Key to tunnel to a Symantec VPN outside of the network.

The PIX provides NAT to ther network.

I'll be assigning two internal IP's to the symantec, one on the WAN side and one on the LAN side.  Then route the VPN traffic to the symantec.  (right?)

I think I have to allow UDP 500 through on the PIX?  How do I do that?  What else do I have to do?

thanks
Wes
0
Comment
Question by:wesmon
  • 3
  • 2
7 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9752508
This sample shows what you are trying to achieve:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml

As an alternative, you could setup the VPN direct between the external Symnatec box directly to the PIX.
0
 

Author Comment

by:wesmon
ID: 9765432
I think I need more specific help than that.

My PIX WAN side addr is 66.6.6.66
My PIX LAN side is 38.161.204.10
My VPN 100 LAN addr is 38.161.204.100
MY VPN WAN addr is 38.161.204.101
My users are all 38.161.204.xxx

The Remote VPN server is 207.218.161.99
The Remote VPN network is 192.168.200.0

I can handle the Symantec VPN 100 config but I need help allowing the traffic on the PIX.

My PIX is using NAT and ACL's if that helps.

0
 
LVL 13

Accepted Solution

by:
td_miles earned 250 total points
ID: 9767929
You will need another real IP address for the static NAT to your VPN100 that is behind the PIX. Assuming that it is 66.6.6.67, try the following:

static (inside,outside) 66.6.6.67 31.161.204.101 netmask 255.255.255.255 0 0
access-list ipsec-in permit esp host 207.218.161.99 host 66.6.6.67
access-list ipsec-in permit udp host 207.218.161.99 eq isakmp host 66.6.6.67 eq isakmp
access-group ipsec-in in interface outside

BUT, as you said you already are using NAT & ACL, add the lines to your existing ACL that is applied inbound on your outside interface, as you can only have one ACL on each interface in either direction at a time.

When you setup the remote VPN server, you would tell it to connect the IPSec tunnel to 66.6.6.67 (which would then be translated to the internal VPN100 box).
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:wesmon
ID: 9771264
Ok, that makes sense.  I'll give it a try and let you know.  

Also, I believe I need to add a route on my router to direct 192.168.200.0 to 38.161.204.100

Is that right?

thanks.
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9775275
Yes, you'll need routes on both ends to point the traffic destined for the remote LAN over the VPN tunnel.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10976399
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: td_miles

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question