• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1448
  • Last Modified:

PIX to PIX VPN tunnel through a third PIX in the middle

I am trying to establish a PIX to PIX VPN tunnel that has a in the middle a third PIX firewall.


                                 
      outside PIX1                                                                                                            Outside PIX 3
                         DMZ    Outside  
  ______                  ______                 _______               MMMMMMM               _____                ______
|| PIX1 ||-----------|| PIX2 ||----------|| Router || -------- || Internet || -------|| Router ||--------|| PIX3 ||
  ~~~~                   ~~~~~               ~~~~~~~              WWWWWW             ~~~~~               ~~~~~

            <------------------------------------  V P N   T U N N E L  ---------------------------------------->

What ports and protocols should I open at the middle PIX (PIX2) and how do I do it?

Do I need to open ports in both the DMZ and Outside interfaces with an access-list?





0
ltello
Asked:
ltello
  • 2
  • 2
1 Solution
 
Tim HolmanCommented:
On the middle PIX open up:

Protocol 50
Protocol 51
TCP port 500
UDP port 500
UDP port 10000
UDP port 4500

If PIX1 does not have public IP addresses, then you will need a spare public IP address from the outside of PIX2, and then you can set NAT up or place the PIX in the DMZ with the public address.

0
 
td_milesCommented:
Here is an example config of how to do the IPSec via NAT if you need to. In the example, the IPSec tunnel is between two routers with a PIX in between. In your case the middle PIX config is still the same and you can simple translate the router IPSec setup to the commands needed for your two PIX.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml
0
 
ltelloAuthor Commented:
Thanks.

I finally established the VPN tunnel and had a couple of packets going back and forward.

The only thing that I wasn’t expecting to happen is that packets needed to be authorized by an access-list in both directions at both interfaces (dmz and outside). Do you happen to know why?

access-list testdmz esp host xxx.xxx.xxx.xxx host yyy.yyy.yyy.yyy
access-list testdmz esp host yyy.yyy.yyy.yyy host xxx.xxx.xxx.xxx
access-list testdmz udp host xxx.xxx.xxx.xxx eq isakmp host yyy.yyy.yyy.yyy eq isakmp
access-list testdmz udp host yyy.yyy.yyy.yyy eq isakmp host xxx.xxx.xxx.xxx eq isakmp

access-list testoutside esp host xxx.xxx.xxx.xxx host yyy.yyy.yyy.yyy
access-list testoutside esp host yyy.yyy.yyy.yyy host xxx.xxx.xxx.xxx
access-list testoutside udp host xxx.xxx.xxx.xxx eq isakmp host yyy.yyy.yyy.yyy eq isakmp
access-list testoutside udp host yyy.yyy.yyy.yyy eq isakmp host xxx.xxx.xxx.xxx eq isakmp

As the document you described, only udp 500 (isakmp) and protocol 50 (esp) need to be opened to establish a VPN tunnel from site to site.
0
 
td_milesCommented:
which interfaces, in which direction (on which PIX) did you have to apply those ACL's to for it to work ?
0
 
Tim HolmanCommented:
You need two way access lists as the VPN can be initiated from either end.  Think of each PIX as a 'VPN Server'.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now