PIX501->PIX501 VPN - which ports to forward on perimeter firewall to pix?

I am setting up a multi-site VPN uses cisco 501's in a hub and spoke arrangement (as opposed to a mesh topology). Each site will have its own server.

I have successfully setup the main site and one of the remote sites, and the VPN between them works as expected.
I am now setting up the 3rd office (ie 2nd remote site), but wish to do this initially from within our office (different company, not either of the 2 existing VPN offices) to allow the majority of the server config here before taking it to the remote site.

In our office we have a perimeter firewall between our LAN and the Internet. To avoid disruption to the network i have to setup the pix within our LAN, rather than having it on the Internet directly. My question is which ports do i need to port-forward on the main perimeter firewall to allow the VPN to connect from the remote main office to the pix on our LAN.

(didnt explain that too well...here's a diagram)

(Main Site with PIX 501) ----Intenet VPN-----(Our Office Perimeter Firewall)----(PIX 501 in our office)

I am currently forwarding port 443 from the perimeter firewall to the pix, but does not seem to be bringing up the tunnel as expected. I have enabled ipsec and isakmp debugging but the pix just replies 'no response received' when i try pinging the remote pix from the local pix.

Who is Participating?
EmpKentConnect With a Mentor Commented:
IPSec uses UDP 500 and Protocols 50 and 51.

Port 443 would allow you to manage it remotely if you have set the source IP up in the PIX but that is not a particularly good idea.

Allowing ICMP in both PIX's will allow you to ping the remote box but that isn't really necessary. Watching an isakmp debug once you have allowed IPSec will show you connectivity.

rog2054Author Commented:
Afriad i was having a bit of an absent moment earlier when i set 443. I now realise that was for SSL and that it is of course 500 for ipsec - one of those things! Thanks for the memory jog EmpKent.

However, i have hit another hurdle. Here is the output from the debug when the tunnel attempted to connect:

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...IPSEC(key_engine): request timer fired:
 count = 1,
  (identity) local=, remote=,
    local_proxy= (type=4),
    remote_proxy= (type=4)

ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src, dst
ISADB: reaper checking SA 0xa00bec, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local=, remote=,
    local_proxy= (type=4),
    remote_proxy= (type=4)

I guess the problem is the (identity) local which is been reported as - this is the IP of the WAN port of the pix, and is part of the 10.40.x.x subnet in between the local pix and the perimeter firewall.

How do i set the pix to report its identity as the WAN IP of the perimeter firewall 62.x.x.x?
The PIX at the other office is expecting a tunnel between itself and the 62.x.x.x address accordingly.

(PS: I've increased the points also as this is an extension of the original question)

What is the make of the perimeter router? Can you terminate the VPN on it?

Can you NAT through it? I have not tried that with PIX VPN's and suspect that it would not work but it would be worth looking at.

Do you have another public IP available at your site? You may be better off to place the 501 on the perimeter in parallel with the other firewall.

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

rog2054Author Commented:
The perimeter router is a 'gnatbox' - unsure of the specifics as it was here long before i was (!)

Its set to use NAT, with port forwarding for port500. We do have a 'spare' external IP so i'll see if i can use that one - was hoping to avoid that though due to 'office politics' etc. Gotta love the office politics! :-/

The arguement against the politicians is that a brand new PIX is quite a bit more secure than an open source "older" product.

But, I know where you are coming from.

Try a static NAT in the Gnatbox to that PIX and see if it works. Otherwise, I believe that to be your best option.


rog2054Author Commented:

Thanks for your input.
I'm convinced it is possible to setup the PIX behind the other firewall, however i agree that for my purposes (temporary vpn for maybe 1 week) i will be best running it on a separate IP in parallel with the gnatbox (keeping the LAN interface of the PIX physically separate from the LAN interface of the gnatbox to prevent futhur confusion.

I agree totally that a modern PIX would be a better replacement for the current gnatbox, however as the pix is only going to be a temporary fixture i cannot see it replacing the gnatbox - believe me i would be the first to bin the gnatbox and put in a shiney new pix if it were my decision!

Thanks again for your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.