Solved

PIX501->PIX501 VPN - which ports to forward on perimeter firewall to pix?

Posted on 2004-04-23
6
1,407 Views
Last Modified: 2010-08-05
I am setting up a multi-site VPN uses cisco 501's in a hub and spoke arrangement (as opposed to a mesh topology). Each site will have its own server.

I have successfully setup the main site and one of the remote sites, and the VPN between them works as expected.
I am now setting up the 3rd office (ie 2nd remote site), but wish to do this initially from within our office (different company, not either of the 2 existing VPN offices) to allow the majority of the server config here before taking it to the remote site.

In our office we have a perimeter firewall between our LAN and the Internet. To avoid disruption to the network i have to setup the pix within our LAN, rather than having it on the Internet directly. My question is which ports do i need to port-forward on the main perimeter firewall to allow the VPN to connect from the remote main office to the pix on our LAN.

(didnt explain that too well...here's a diagram)

(Main Site with PIX 501) ----Intenet VPN-----(Our Office Perimeter Firewall)----(PIX 501 in our office)

I am currently forwarding port 443 from the perimeter firewall to the pix, but does not seem to be bringing up the tunnel as expected. I have enabled ipsec and isakmp debugging but the pix just replies 'no response received' when i try pinging the remote pix from the local pix.

0
Comment
Question by:rog2054
  • 3
  • 3
6 Comments
 
LVL 7

Accepted Solution

by:
EmpKent earned 250 total points
ID: 10899338
IPSec uses UDP 500 and Protocols 50 and 51.

Port 443 would allow you to manage it remotely if you have set the source IP up in the PIX but that is not a particularly good idea.

Allowing ICMP in both PIX's will allow you to ping the remote box but that isn't really necessary. Watching an isakmp debug once you have allowed IPSec will show you connectivity.

0
 
LVL 3

Author Comment

by:rog2054
ID: 10900021
Afriad i was having a bit of an absent moment earlier when i set 443. I now realise that was for SSL and that it is of course 500 for ipsec - one of those things! Thanks for the memory jog EmpKent.

However, i have hit another hurdle. Here is the output from the debug when the tunnel attempted to connect:

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...IPSEC(key_engine): request timer fired:
 count = 1,
  (identity) local= 10.40.6.51, remote= 80.176.125.66,
    local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 10.40.6.51, dst 80.176.125.66
ISADB: reaper checking SA 0xa00bec, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 80.176.125.66/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 10.40.6.51, remote= 80.176.125.66,
    local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)

I guess the problem is the (identity) local which is been reported as 10.40.6.51 - this is the IP of the WAN port of the pix, and is part of the 10.40.x.x subnet in between the local pix and the perimeter firewall.

How do i set the pix to report its identity as the WAN IP of the perimeter firewall 62.x.x.x?
The PIX at the other office is expecting a tunnel between itself and the 62.x.x.x address accordingly.


(PS: I've increased the points also as this is an extension of the original question)

0
 
LVL 7

Expert Comment

by:EmpKent
ID: 10900134
What is the make of the perimeter router? Can you terminate the VPN on it?

Can you NAT through it? I have not tried that with PIX VPN's and suspect that it would not work but it would be worth looking at.

Do you have another public IP available at your site? You may be better off to place the 501 on the perimeter in parallel with the other firewall.

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 3

Author Comment

by:rog2054
ID: 10900461
The perimeter router is a 'gnatbox' - unsure of the specifics as it was here long before i was (!)

Its set to use NAT, with port forwarding for port500. We do have a 'spare' external IP so i'll see if i can use that one - was hoping to avoid that though due to 'office politics' etc. Gotta love the office politics! :-/





0
 
LVL 7

Expert Comment

by:EmpKent
ID: 10901225
The arguement against the politicians is that a brand new PIX is quite a bit more secure than an open source "older" product.

But, I know where you are coming from.

Try a static NAT in the Gnatbox to that PIX and see if it works. Otherwise, I believe that to be your best option.

GL,

Kent
0
 
LVL 3

Author Comment

by:rog2054
ID: 10921094
Kent,

Thanks for your input.
I'm convinced it is possible to setup the PIX behind the other firewall, however i agree that for my purposes (temporary vpn for maybe 1 week) i will be best running it on a separate IP in parallel with the gnatbox (keeping the LAN interface of the PIX physically separate from the LAN interface of the gnatbox to prevent futhur confusion.

I agree totally that a modern PIX would be a better replacement for the current gnatbox, however as the pix is only going to be a temporary fixture i cannot see it replacing the gnatbox - believe me i would be the first to bin the gnatbox and put in a shiney new pix if it were my decision!

Thanks again for your help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now