Symantec VPN 100 behind a CISCO PIX 515

My client needs to set up a Symantec FW/VPN 100 on their network which is behind a CISCO PIX 515.   The VPN uses Dynamic Key to tunnel to a Symantec VPN outside of the network.

The PIX provides NAT to ther network.

I'll be assigning two internal IP's to the symantec, one on the WAN side and one on the LAN side.  Then route the VPN traffic to the symantec.  (right?)

I think I have to allow UDP 500 through on the PIX?  How do I do that?  What else do I have to do?

thanks
Wes
wesmonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

td_milesCommented:
This sample shows what you are trying to achieve:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml

As an alternative, you could setup the VPN direct between the external Symnatec box directly to the PIX.
wesmonAuthor Commented:
I think I need more specific help than that.

My PIX WAN side addr is 66.6.6.66
My PIX LAN side is 38.161.204.10
My VPN 100 LAN addr is 38.161.204.100
MY VPN WAN addr is 38.161.204.101
My users are all 38.161.204.xxx

The Remote VPN server is 207.218.161.99
The Remote VPN network is 192.168.200.0

I can handle the Symantec VPN 100 config but I need help allowing the traffic on the PIX.

My PIX is using NAT and ACL's if that helps.

td_milesCommented:
You will need another real IP address for the static NAT to your VPN100 that is behind the PIX. Assuming that it is 66.6.6.67, try the following:

static (inside,outside) 66.6.6.67 31.161.204.101 netmask 255.255.255.255 0 0
access-list ipsec-in permit esp host 207.218.161.99 host 66.6.6.67
access-list ipsec-in permit udp host 207.218.161.99 eq isakmp host 66.6.6.67 eq isakmp
access-group ipsec-in in interface outside

BUT, as you said you already are using NAT & ACL, add the lines to your existing ACL that is applied inbound on your outside interface, as you can only have one ACL on each interface in either direction at a time.

When you setup the remote VPN server, you would tell it to connect the IPSec tunnel to 66.6.6.67 (which would then be translated to the internal VPN100 box).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

wesmonAuthor Commented:
Ok, that makes sense.  I'll give it a try and let you know.  

Also, I believe I need to add a route on my router to direct 192.168.200.0 to 38.161.204.100

Is that right?

thanks.
td_milesCommented:
Yes, you'll need routes on both ends to point the traffic destined for the remote LAN over the VPN tunnel.
Tim HolmanCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: td_miles

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.