PIX to PIX VPN tunnel through a third PIX in the middle

Posted on 2004-04-24
Last Modified: 2013-11-16
I am trying to establish a PIX to PIX VPN tunnel that has a in the middle a third PIX firewall.

      outside PIX1                                                                                                            Outside PIX 3
                         DMZ    Outside  
  ______                  ______                 _______               MMMMMMM               _____                ______
|| PIX1 ||-----------|| PIX2 ||----------|| Router || -------- || Internet || -------|| Router ||--------|| PIX3 ||
  ~~~~                   ~~~~~               ~~~~~~~              WWWWWW             ~~~~~               ~~~~~

            <------------------------------------  V P N   T U N N E L  ---------------------------------------->

What ports and protocols should I open at the middle PIX (PIX2) and how do I do it?

Do I need to open ports in both the DMZ and Outside interfaces with an access-list?

Question by:ltello
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 23

Expert Comment

by:Tim Holman
ID: 10916984
On the middle PIX open up:

Protocol 50
Protocol 51
TCP port 500
UDP port 500
UDP port 10000
UDP port 4500

If PIX1 does not have public IP addresses, then you will need a spare public IP address from the outside of PIX2, and then you can set NAT up or place the PIX in the DMZ with the public address.

LVL 13

Accepted Solution

td_miles earned 500 total points
ID: 10923802
Here is an example config of how to do the IPSec via NAT if you need to. In the example, the IPSec tunnel is between two routers with a PIX in between. In your case the middle PIX config is still the same and you can simple translate the router IPSec setup to the commands needed for your two PIX.

Author Comment

ID: 10924764

I finally established the VPN tunnel and had a couple of packets going back and forward.

The only thing that I wasn’t expecting to happen is that packets needed to be authorized by an access-list in both directions at both interfaces (dmz and outside). Do you happen to know why?

access-list testdmz esp host host yyy.yyy.yyy.yyy
access-list testdmz esp host yyy.yyy.yyy.yyy host
access-list testdmz udp host eq isakmp host yyy.yyy.yyy.yyy eq isakmp
access-list testdmz udp host yyy.yyy.yyy.yyy eq isakmp host eq isakmp

access-list testoutside esp host host yyy.yyy.yyy.yyy
access-list testoutside esp host yyy.yyy.yyy.yyy host
access-list testoutside udp host eq isakmp host yyy.yyy.yyy.yyy eq isakmp
access-list testoutside udp host yyy.yyy.yyy.yyy eq isakmp host eq isakmp

As the document you described, only udp 500 (isakmp) and protocol 50 (esp) need to be opened to establish a VPN tunnel from site to site.
LVL 13

Expert Comment

ID: 10925381
which interfaces, in which direction (on which PIX) did you have to apply those ACL's to for it to work ?
LVL 23

Expert Comment

by:Tim Holman
ID: 10926309
You need two way access lists as the VPN can be initiated from either end.  Think of each PIX as a 'VPN Server'.

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Hit router interface limit 7 68
Cisco Edge Routers for BGP 6 96
Moving vSAN traffic to a new network 4 72
Blocking outside IP Addresses 16 58
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question