• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 663
  • Last Modified:

Symantec VPN 100 behind a CISCO PIX 515

My client needs to set up a Symantec FW/VPN 100 on their network which is behind a CISCO PIX 515.   The VPN uses Dynamic Key to tunnel to a Symantec VPN outside of the network.

The PIX provides NAT to ther network.

I'll be assigning two internal IP's to the symantec, one on the WAN side and one on the LAN side.  Then route the VPN traffic to the symantec.  (right?)

I think I have to allow UDP 500 through on the PIX?  How do I do that?  What else do I have to do?

thanks
Wes
0
wesmon
Asked:
wesmon
  • 3
  • 2
1 Solution
 
td_milesCommented:
This sample shows what you are trying to achieve:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml

As an alternative, you could setup the VPN direct between the external Symnatec box directly to the PIX.
0
 
wesmonAuthor Commented:
I think I need more specific help than that.

My PIX WAN side addr is 66.6.6.66
My PIX LAN side is 38.161.204.10
My VPN 100 LAN addr is 38.161.204.100
MY VPN WAN addr is 38.161.204.101
My users are all 38.161.204.xxx

The Remote VPN server is 207.218.161.99
The Remote VPN network is 192.168.200.0

I can handle the Symantec VPN 100 config but I need help allowing the traffic on the PIX.

My PIX is using NAT and ACL's if that helps.

0
 
td_milesCommented:
You will need another real IP address for the static NAT to your VPN100 that is behind the PIX. Assuming that it is 66.6.6.67, try the following:

static (inside,outside) 66.6.6.67 31.161.204.101 netmask 255.255.255.255 0 0
access-list ipsec-in permit esp host 207.218.161.99 host 66.6.6.67
access-list ipsec-in permit udp host 207.218.161.99 eq isakmp host 66.6.6.67 eq isakmp
access-group ipsec-in in interface outside

BUT, as you said you already are using NAT & ACL, add the lines to your existing ACL that is applied inbound on your outside interface, as you can only have one ACL on each interface in either direction at a time.

When you setup the remote VPN server, you would tell it to connect the IPSec tunnel to 66.6.6.67 (which would then be translated to the internal VPN100 box).
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
wesmonAuthor Commented:
Ok, that makes sense.  I'll give it a try and let you know.  

Also, I believe I need to add a route on my router to direct 192.168.200.0 to 38.161.204.100

Is that right?

thanks.
0
 
td_milesCommented:
Yes, you'll need routes on both ends to point the traffic destined for the remote LAN over the VPN tunnel.
0
 
Tim HolmanCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: td_miles

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now