PIX501->PIX501 VPN - which ports to forward on perimeter firewall to pix?
Posted on 2004-04-23
I am setting up a multi-site VPN uses cisco 501's in a hub and spoke arrangement (as opposed to a mesh topology). Each site will have its own server.
I have successfully setup the main site and one of the remote sites, and the VPN between them works as expected.
I am now setting up the 3rd office (ie 2nd remote site), but wish to do this initially from within our office (different company, not either of the 2 existing VPN offices) to allow the majority of the server config here before taking it to the remote site.
In our office we have a perimeter firewall between our LAN and the Internet. To avoid disruption to the network i have to setup the pix within our LAN, rather than having it on the Internet directly. My question is which ports do i need to port-forward on the main perimeter firewall to allow the VPN to connect from the remote main office to the pix on our LAN.
(didnt explain that too well...here's a diagram)
(Main Site with PIX 501) ----Intenet VPN-----(Our Office Perimeter Firewall)----(PIX 501 in our office)
I am currently forwarding port 443 from the perimeter firewall to the pix, but does not seem to be bringing up the tunnel as expected. I have enabled ipsec and isakmp debugging but the pix just replies 'no response received' when i try pinging the remote pix from the local pix.