PIX to PIX VPN tunnel through a third PIX in the middle

Posted on 2004-04-24
Last Modified: 2013-11-16
I am trying to establish a PIX to PIX VPN tunnel that has a in the middle a third PIX firewall.

      outside PIX1                                                                                                            Outside PIX 3
                         DMZ    Outside  
  ______                  ______                 _______               MMMMMMM               _____                ______
|| PIX1 ||-----------|| PIX2 ||----------|| Router || -------- || Internet || -------|| Router ||--------|| PIX3 ||
  ~~~~                   ~~~~~               ~~~~~~~              WWWWWW             ~~~~~               ~~~~~

            <------------------------------------  V P N   T U N N E L  ---------------------------------------->

What ports and protocols should I open at the middle PIX (PIX2) and how do I do it?

Do I need to open ports in both the DMZ and Outside interfaces with an access-list?

Question by:ltello
  • 2
  • 2
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
On the middle PIX open up:

Protocol 50
Protocol 51
TCP port 500
UDP port 500
UDP port 10000
UDP port 4500

If PIX1 does not have public IP addresses, then you will need a spare public IP address from the outside of PIX2, and then you can set NAT up or place the PIX in the DMZ with the public address.

LVL 13

Accepted Solution

td_miles earned 500 total points
Comment Utility
Here is an example config of how to do the IPSec via NAT if you need to. In the example, the IPSec tunnel is between two routers with a PIX in between. In your case the middle PIX config is still the same and you can simple translate the router IPSec setup to the commands needed for your two PIX.

Author Comment

Comment Utility

I finally established the VPN tunnel and had a couple of packets going back and forward.

The only thing that I wasn’t expecting to happen is that packets needed to be authorized by an access-list in both directions at both interfaces (dmz and outside). Do you happen to know why?

access-list testdmz esp host host yyy.yyy.yyy.yyy
access-list testdmz esp host yyy.yyy.yyy.yyy host
access-list testdmz udp host eq isakmp host yyy.yyy.yyy.yyy eq isakmp
access-list testdmz udp host yyy.yyy.yyy.yyy eq isakmp host eq isakmp

access-list testoutside esp host host yyy.yyy.yyy.yyy
access-list testoutside esp host yyy.yyy.yyy.yyy host
access-list testoutside udp host eq isakmp host yyy.yyy.yyy.yyy eq isakmp
access-list testoutside udp host yyy.yyy.yyy.yyy eq isakmp host eq isakmp

As the document you described, only udp 500 (isakmp) and protocol 50 (esp) need to be opened to establish a VPN tunnel from site to site.
LVL 13

Expert Comment

Comment Utility
which interfaces, in which direction (on which PIX) did you have to apply those ACL's to for it to work ?
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
You need two way access lists as the VPN can be initiated from either end.  Think of each PIX as a 'VPN Server'.

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now