?
Solved

PIX501->PIX501 VPN - which ports to forward on perimeter firewall to pix?

Posted on 2004-04-23
6
Medium Priority
?
1,423 Views
Last Modified: 2010-08-05
I am setting up a multi-site VPN uses cisco 501's in a hub and spoke arrangement (as opposed to a mesh topology). Each site will have its own server.

I have successfully setup the main site and one of the remote sites, and the VPN between them works as expected.
I am now setting up the 3rd office (ie 2nd remote site), but wish to do this initially from within our office (different company, not either of the 2 existing VPN offices) to allow the majority of the server config here before taking it to the remote site.

In our office we have a perimeter firewall between our LAN and the Internet. To avoid disruption to the network i have to setup the pix within our LAN, rather than having it on the Internet directly. My question is which ports do i need to port-forward on the main perimeter firewall to allow the VPN to connect from the remote main office to the pix on our LAN.

(didnt explain that too well...here's a diagram)

(Main Site with PIX 501) ----Intenet VPN-----(Our Office Perimeter Firewall)----(PIX 501 in our office)

I am currently forwarding port 443 from the perimeter firewall to the pix, but does not seem to be bringing up the tunnel as expected. I have enabled ipsec and isakmp debugging but the pix just replies 'no response received' when i try pinging the remote pix from the local pix.

0
Comment
Question by:rog2054
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 7

Accepted Solution

by:
EmpKent earned 1000 total points
ID: 10899338
IPSec uses UDP 500 and Protocols 50 and 51.

Port 443 would allow you to manage it remotely if you have set the source IP up in the PIX but that is not a particularly good idea.

Allowing ICMP in both PIX's will allow you to ping the remote box but that isn't really necessary. Watching an isakmp debug once you have allowed IPSec will show you connectivity.

0
 
LVL 3

Author Comment

by:rog2054
ID: 10900021
Afriad i was having a bit of an absent moment earlier when i set 443. I now realise that was for SSL and that it is of course 500 for ipsec - one of those things! Thanks for the memory jog EmpKent.

However, i have hit another hurdle. Here is the output from the debug when the tunnel attempted to connect:

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...IPSEC(key_engine): request timer fired:
 count = 1,
  (identity) local= 10.40.6.51, remote= 80.176.125.66,
    local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 10.40.6.51, dst 80.176.125.66
ISADB: reaper checking SA 0xa00bec, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 80.176.125.66/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 10.40.6.51, remote= 80.176.125.66,
    local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)

I guess the problem is the (identity) local which is been reported as 10.40.6.51 - this is the IP of the WAN port of the pix, and is part of the 10.40.x.x subnet in between the local pix and the perimeter firewall.

How do i set the pix to report its identity as the WAN IP of the perimeter firewall 62.x.x.x?
The PIX at the other office is expecting a tunnel between itself and the 62.x.x.x address accordingly.


(PS: I've increased the points also as this is an extension of the original question)

0
 
LVL 7

Expert Comment

by:EmpKent
ID: 10900134
What is the make of the perimeter router? Can you terminate the VPN on it?

Can you NAT through it? I have not tried that with PIX VPN's and suspect that it would not work but it would be worth looking at.

Do you have another public IP available at your site? You may be better off to place the 501 on the perimeter in parallel with the other firewall.

0
Limited time offer using promo code EXPERTS30

Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through September 15, 2017, Experts Exchange members get 30% off the US7220 on the ATEN USA eShop using promo code EXPERTS30.

 
LVL 3

Author Comment

by:rog2054
ID: 10900461
The perimeter router is a 'gnatbox' - unsure of the specifics as it was here long before i was (!)

Its set to use NAT, with port forwarding for port500. We do have a 'spare' external IP so i'll see if i can use that one - was hoping to avoid that though due to 'office politics' etc. Gotta love the office politics! :-/





0
 
LVL 7

Expert Comment

by:EmpKent
ID: 10901225
The arguement against the politicians is that a brand new PIX is quite a bit more secure than an open source "older" product.

But, I know where you are coming from.

Try a static NAT in the Gnatbox to that PIX and see if it works. Otherwise, I believe that to be your best option.

GL,

Kent
0
 
LVL 3

Author Comment

by:rog2054
ID: 10921094
Kent,

Thanks for your input.
I'm convinced it is possible to setup the PIX behind the other firewall, however i agree that for my purposes (temporary vpn for maybe 1 week) i will be best running it on a separate IP in parallel with the gnatbox (keeping the LAN interface of the PIX physically separate from the LAN interface of the gnatbox to prevent futhur confusion.

I agree totally that a modern PIX would be a better replacement for the current gnatbox, however as the pix is only going to be a temporary fixture i cannot see it replacing the gnatbox - believe me i would be the first to bin the gnatbox and put in a shiney new pix if it were my decision!

Thanks again for your help.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question