Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Symantec VPN 100 behind a CISCO PIX 515

Posted on 2003-11-14
7
Medium Priority
?
610 Views
Last Modified: 2013-11-16
My client needs to set up a Symantec FW/VPN 100 on their network which is behind a CISCO PIX 515.   The VPN uses Dynamic Key to tunnel to a Symantec VPN outside of the network.

The PIX provides NAT to ther network.

I'll be assigning two internal IP's to the symantec, one on the WAN side and one on the LAN side.  Then route the VPN traffic to the symantec.  (right?)

I think I have to allow UDP 500 through on the PIX?  How do I do that?  What else do I have to do?

thanks
Wes
0
Comment
Question by:wesmon
  • 3
  • 2
7 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9752508
This sample shows what you are trying to achieve:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml

As an alternative, you could setup the VPN direct between the external Symnatec box directly to the PIX.
0
 

Author Comment

by:wesmon
ID: 9765432
I think I need more specific help than that.

My PIX WAN side addr is 66.6.6.66
My PIX LAN side is 38.161.204.10
My VPN 100 LAN addr is 38.161.204.100
MY VPN WAN addr is 38.161.204.101
My users are all 38.161.204.xxx

The Remote VPN server is 207.218.161.99
The Remote VPN network is 192.168.200.0

I can handle the Symantec VPN 100 config but I need help allowing the traffic on the PIX.

My PIX is using NAT and ACL's if that helps.

0
 
LVL 13

Accepted Solution

by:
td_miles earned 1000 total points
ID: 9767929
You will need another real IP address for the static NAT to your VPN100 that is behind the PIX. Assuming that it is 66.6.6.67, try the following:

static (inside,outside) 66.6.6.67 31.161.204.101 netmask 255.255.255.255 0 0
access-list ipsec-in permit esp host 207.218.161.99 host 66.6.6.67
access-list ipsec-in permit udp host 207.218.161.99 eq isakmp host 66.6.6.67 eq isakmp
access-group ipsec-in in interface outside

BUT, as you said you already are using NAT & ACL, add the lines to your existing ACL that is applied inbound on your outside interface, as you can only have one ACL on each interface in either direction at a time.

When you setup the remote VPN server, you would tell it to connect the IPSec tunnel to 66.6.6.67 (which would then be translated to the internal VPN100 box).
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:wesmon
ID: 9771264
Ok, that makes sense.  I'll give it a try and let you know.  

Also, I believe I need to add a route on my router to direct 192.168.200.0 to 38.161.204.100

Is that right?

thanks.
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9775275
Yes, you'll need routes on both ends to point the traffic destined for the remote LAN over the VPN tunnel.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10976399
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Accept: td_miles

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question