PIX501->PIX501 VPN - which ports to forward on perimeter firewall to pix?

Posted on 2004-04-23
Last Modified: 2010-08-05
I am setting up a multi-site VPN uses cisco 501's in a hub and spoke arrangement (as opposed to a mesh topology). Each site will have its own server.

I have successfully setup the main site and one of the remote sites, and the VPN between them works as expected.
I am now setting up the 3rd office (ie 2nd remote site), but wish to do this initially from within our office (different company, not either of the 2 existing VPN offices) to allow the majority of the server config here before taking it to the remote site.

In our office we have a perimeter firewall between our LAN and the Internet. To avoid disruption to the network i have to setup the pix within our LAN, rather than having it on the Internet directly. My question is which ports do i need to port-forward on the main perimeter firewall to allow the VPN to connect from the remote main office to the pix on our LAN.

(didnt explain that too's a diagram)

(Main Site with PIX 501) ----Intenet VPN-----(Our Office Perimeter Firewall)----(PIX 501 in our office)

I am currently forwarding port 443 from the perimeter firewall to the pix, but does not seem to be bringing up the tunnel as expected. I have enabled ipsec and isakmp debugging but the pix just replies 'no response received' when i try pinging the remote pix from the local pix.

Question by:rog2054
  • 3
  • 3

Accepted Solution

EmpKent earned 250 total points
ID: 10899338
IPSec uses UDP 500 and Protocols 50 and 51.

Port 443 would allow you to manage it remotely if you have set the source IP up in the PIX but that is not a particularly good idea.

Allowing ICMP in both PIX's will allow you to ping the remote box but that isn't really necessary. Watching an isakmp debug once you have allowed IPSec will show you connectivity.


Author Comment

ID: 10900021
Afriad i was having a bit of an absent moment earlier when i set 443. I now realise that was for SSL and that it is of course 500 for ipsec - one of those things! Thanks for the memory jog EmpKent.

However, i have hit another hurdle. Here is the output from the debug when the tunnel attempted to connect:

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...IPSEC(key_engine): request timer fired:
 count = 1,
  (identity) local=, remote=,
    local_proxy= (type=4),
    remote_proxy= (type=4)

ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src, dst
ISADB: reaper checking SA 0xa00bec, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local=, remote=,
    local_proxy= (type=4),
    remote_proxy= (type=4)

I guess the problem is the (identity) local which is been reported as - this is the IP of the WAN port of the pix, and is part of the 10.40.x.x subnet in between the local pix and the perimeter firewall.

How do i set the pix to report its identity as the WAN IP of the perimeter firewall 62.x.x.x?
The PIX at the other office is expecting a tunnel between itself and the 62.x.x.x address accordingly.

(PS: I've increased the points also as this is an extension of the original question)


Expert Comment

ID: 10900134
What is the make of the perimeter router? Can you terminate the VPN on it?

Can you NAT through it? I have not tried that with PIX VPN's and suspect that it would not work but it would be worth looking at.

Do you have another public IP available at your site? You may be better off to place the 501 on the perimeter in parallel with the other firewall.

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.


Author Comment

ID: 10900461
The perimeter router is a 'gnatbox' - unsure of the specifics as it was here long before i was (!)

Its set to use NAT, with port forwarding for port500. We do have a 'spare' external IP so i'll see if i can use that one - was hoping to avoid that though due to 'office politics' etc. Gotta love the office politics! :-/


Expert Comment

ID: 10901225
The arguement against the politicians is that a brand new PIX is quite a bit more secure than an open source "older" product.

But, I know where you are coming from.

Try a static NAT in the Gnatbox to that PIX and see if it works. Otherwise, I believe that to be your best option.



Author Comment

ID: 10921094

Thanks for your input.
I'm convinced it is possible to setup the PIX behind the other firewall, however i agree that for my purposes (temporary vpn for maybe 1 week) i will be best running it on a separate IP in parallel with the gnatbox (keeping the LAN interface of the PIX physically separate from the LAN interface of the gnatbox to prevent futhur confusion.

I agree totally that a modern PIX would be a better replacement for the current gnatbox, however as the pix is only going to be a temporary fixture i cannot see it replacing the gnatbox - believe me i would be the first to bin the gnatbox and put in a shiney new pix if it were my decision!

Thanks again for your help.

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now