Solved

Symantec VPN 100 behind a CISCO PIX 515

Posted on 2003-11-14
7
571 Views
Last Modified: 2013-11-16
My client needs to set up a Symantec FW/VPN 100 on their network which is behind a CISCO PIX 515.   The VPN uses Dynamic Key to tunnel to a Symantec VPN outside of the network.

The PIX provides NAT to ther network.

I'll be assigning two internal IP's to the symantec, one on the WAN side and one on the LAN side.  Then route the VPN traffic to the symantec.  (right?)

I think I have to allow UDP 500 through on the PIX?  How do I do that?  What else do I have to do?

thanks
Wes
0
Comment
Question by:wesmon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9752508
This sample shows what you are trying to achieve:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml

As an alternative, you could setup the VPN direct between the external Symnatec box directly to the PIX.
0
 

Author Comment

by:wesmon
ID: 9765432
I think I need more specific help than that.

My PIX WAN side addr is 66.6.6.66
My PIX LAN side is 38.161.204.10
My VPN 100 LAN addr is 38.161.204.100
MY VPN WAN addr is 38.161.204.101
My users are all 38.161.204.xxx

The Remote VPN server is 207.218.161.99
The Remote VPN network is 192.168.200.0

I can handle the Symantec VPN 100 config but I need help allowing the traffic on the PIX.

My PIX is using NAT and ACL's if that helps.

0
 
LVL 13

Accepted Solution

by:
td_miles earned 250 total points
ID: 9767929
You will need another real IP address for the static NAT to your VPN100 that is behind the PIX. Assuming that it is 66.6.6.67, try the following:

static (inside,outside) 66.6.6.67 31.161.204.101 netmask 255.255.255.255 0 0
access-list ipsec-in permit esp host 207.218.161.99 host 66.6.6.67
access-list ipsec-in permit udp host 207.218.161.99 eq isakmp host 66.6.6.67 eq isakmp
access-group ipsec-in in interface outside

BUT, as you said you already are using NAT & ACL, add the lines to your existing ACL that is applied inbound on your outside interface, as you can only have one ACL on each interface in either direction at a time.

When you setup the remote VPN server, you would tell it to connect the IPSec tunnel to 66.6.6.67 (which would then be translated to the internal VPN100 box).
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 

Author Comment

by:wesmon
ID: 9771264
Ok, that makes sense.  I'll give it a try and let you know.  

Also, I believe I need to add a route on my router to direct 192.168.200.0 to 38.161.204.100

Is that right?

thanks.
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9775275
Yes, you'll need routes on both ends to point the traffic destined for the remote LAN over the VPN tunnel.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10976399
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: td_miles

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question