Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PIX501->PIX501 VPN - which ports to forward on perimeter firewall to pix?

Posted on 2004-04-23
6
Medium Priority
?
1,428 Views
Last Modified: 2010-08-05
I am setting up a multi-site VPN uses cisco 501's in a hub and spoke arrangement (as opposed to a mesh topology). Each site will have its own server.

I have successfully setup the main site and one of the remote sites, and the VPN between them works as expected.
I am now setting up the 3rd office (ie 2nd remote site), but wish to do this initially from within our office (different company, not either of the 2 existing VPN offices) to allow the majority of the server config here before taking it to the remote site.

In our office we have a perimeter firewall between our LAN and the Internet. To avoid disruption to the network i have to setup the pix within our LAN, rather than having it on the Internet directly. My question is which ports do i need to port-forward on the main perimeter firewall to allow the VPN to connect from the remote main office to the pix on our LAN.

(didnt explain that too well...here's a diagram)

(Main Site with PIX 501) ----Intenet VPN-----(Our Office Perimeter Firewall)----(PIX 501 in our office)

I am currently forwarding port 443 from the perimeter firewall to the pix, but does not seem to be bringing up the tunnel as expected. I have enabled ipsec and isakmp debugging but the pix just replies 'no response received' when i try pinging the remote pix from the local pix.

0
Comment
Question by:rog2054
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 7

Accepted Solution

by:
EmpKent earned 1000 total points
ID: 10899338
IPSec uses UDP 500 and Protocols 50 and 51.

Port 443 would allow you to manage it remotely if you have set the source IP up in the PIX but that is not a particularly good idea.

Allowing ICMP in both PIX's will allow you to ping the remote box but that isn't really necessary. Watching an isakmp debug once you have allowed IPSec will show you connectivity.

0
 
LVL 3

Author Comment

by:rog2054
ID: 10900021
Afriad i was having a bit of an absent moment earlier when i set 443. I now realise that was for SSL and that it is of course 500 for ipsec - one of those things! Thanks for the memory jog EmpKent.

However, i have hit another hurdle. Here is the output from the debug when the tunnel attempted to connect:

ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...IPSEC(key_engine): request timer fired:
 count = 1,
  (identity) local= 10.40.6.51, remote= 80.176.125.66,
    local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 10.40.6.51, dst 80.176.125.66
ISADB: reaper checking SA 0xa00bec, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 80.176.125.66/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 10.40.6.51, remote= 80.176.125.66,
    local_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)

I guess the problem is the (identity) local which is been reported as 10.40.6.51 - this is the IP of the WAN port of the pix, and is part of the 10.40.x.x subnet in between the local pix and the perimeter firewall.

How do i set the pix to report its identity as the WAN IP of the perimeter firewall 62.x.x.x?
The PIX at the other office is expecting a tunnel between itself and the 62.x.x.x address accordingly.


(PS: I've increased the points also as this is an extension of the original question)

0
 
LVL 7

Expert Comment

by:EmpKent
ID: 10900134
What is the make of the perimeter router? Can you terminate the VPN on it?

Can you NAT through it? I have not tried that with PIX VPN's and suspect that it would not work but it would be worth looking at.

Do you have another public IP available at your site? You may be better off to place the 501 on the perimeter in parallel with the other firewall.

0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 3

Author Comment

by:rog2054
ID: 10900461
The perimeter router is a 'gnatbox' - unsure of the specifics as it was here long before i was (!)

Its set to use NAT, with port forwarding for port500. We do have a 'spare' external IP so i'll see if i can use that one - was hoping to avoid that though due to 'office politics' etc. Gotta love the office politics! :-/





0
 
LVL 7

Expert Comment

by:EmpKent
ID: 10901225
The arguement against the politicians is that a brand new PIX is quite a bit more secure than an open source "older" product.

But, I know where you are coming from.

Try a static NAT in the Gnatbox to that PIX and see if it works. Otherwise, I believe that to be your best option.

GL,

Kent
0
 
LVL 3

Author Comment

by:rog2054
ID: 10921094
Kent,

Thanks for your input.
I'm convinced it is possible to setup the PIX behind the other firewall, however i agree that for my purposes (temporary vpn for maybe 1 week) i will be best running it on a separate IP in parallel with the gnatbox (keeping the LAN interface of the PIX physically separate from the LAN interface of the gnatbox to prevent futhur confusion.

I agree totally that a modern PIX would be a better replacement for the current gnatbox, however as the pix is only going to be a temporary fixture i cannot see it replacing the gnatbox - believe me i would be the first to bin the gnatbox and put in a shiney new pix if it were my decision!

Thanks again for your help.
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question