PIX to PIX VPN tunnel through a third PIX in the middle

Posted on 2004-04-24
Last Modified: 2013-11-16
I am trying to establish a PIX to PIX VPN tunnel that has a in the middle a third PIX firewall.

      outside PIX1                                                                                                            Outside PIX 3
                         DMZ    Outside  
  ______                  ______                 _______               MMMMMMM               _____                ______
|| PIX1 ||-----------|| PIX2 ||----------|| Router || -------- || Internet || -------|| Router ||--------|| PIX3 ||
  ~~~~                   ~~~~~               ~~~~~~~              WWWWWW             ~~~~~               ~~~~~

            <------------------------------------  V P N   T U N N E L  ---------------------------------------->

What ports and protocols should I open at the middle PIX (PIX2) and how do I do it?

Do I need to open ports in both the DMZ and Outside interfaces with an access-list?

Question by:ltello
  • 2
  • 2
LVL 23

Expert Comment

by:Tim Holman
ID: 10916984
On the middle PIX open up:

Protocol 50
Protocol 51
TCP port 500
UDP port 500
UDP port 10000
UDP port 4500

If PIX1 does not have public IP addresses, then you will need a spare public IP address from the outside of PIX2, and then you can set NAT up or place the PIX in the DMZ with the public address.

LVL 13

Accepted Solution

td_miles earned 500 total points
ID: 10923802
Here is an example config of how to do the IPSec via NAT if you need to. In the example, the IPSec tunnel is between two routers with a PIX in between. In your case the middle PIX config is still the same and you can simple translate the router IPSec setup to the commands needed for your two PIX.

Author Comment

ID: 10924764

I finally established the VPN tunnel and had a couple of packets going back and forward.

The only thing that I wasn’t expecting to happen is that packets needed to be authorized by an access-list in both directions at both interfaces (dmz and outside). Do you happen to know why?

access-list testdmz esp host host yyy.yyy.yyy.yyy
access-list testdmz esp host yyy.yyy.yyy.yyy host
access-list testdmz udp host eq isakmp host yyy.yyy.yyy.yyy eq isakmp
access-list testdmz udp host yyy.yyy.yyy.yyy eq isakmp host eq isakmp

access-list testoutside esp host host yyy.yyy.yyy.yyy
access-list testoutside esp host yyy.yyy.yyy.yyy host
access-list testoutside udp host eq isakmp host yyy.yyy.yyy.yyy eq isakmp
access-list testoutside udp host yyy.yyy.yyy.yyy eq isakmp host eq isakmp

As the document you described, only udp 500 (isakmp) and protocol 50 (esp) need to be opened to establish a VPN tunnel from site to site.
LVL 13

Expert Comment

ID: 10925381
which interfaces, in which direction (on which PIX) did you have to apply those ACL's to for it to work ?
LVL 23

Expert Comment

by:Tim Holman
ID: 10926309
You need two way access lists as the VPN can be initiated from either end.  Think of each PIX as a 'VPN Server'.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now