Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

PIX to PIX VPN tunnel through a third PIX in the middle

Posted on 2004-04-24
5
1,399 Views
Last Modified: 2013-11-16
I am trying to establish a PIX to PIX VPN tunnel that has a in the middle a third PIX firewall.


                                 
      outside PIX1                                                                                                            Outside PIX 3
                         DMZ    Outside  
  ______                  ______                 _______               MMMMMMM               _____                ______
|| PIX1 ||-----------|| PIX2 ||----------|| Router || -------- || Internet || -------|| Router ||--------|| PIX3 ||
  ~~~~                   ~~~~~               ~~~~~~~              WWWWWW             ~~~~~               ~~~~~

            <------------------------------------  V P N   T U N N E L  ---------------------------------------->

What ports and protocols should I open at the middle PIX (PIX2) and how do I do it?

Do I need to open ports in both the DMZ and Outside interfaces with an access-list?





0
Comment
Question by:ltello
  • 2
  • 2
5 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10916984
On the middle PIX open up:

Protocol 50
Protocol 51
TCP port 500
UDP port 500
UDP port 10000
UDP port 4500

If PIX1 does not have public IP addresses, then you will need a spare public IP address from the outside of PIX2, and then you can set NAT up or place the PIX in the DMZ with the public address.

0
 
LVL 13

Accepted Solution

by:
td_miles earned 500 total points
ID: 10923802
Here is an example config of how to do the IPSec via NAT if you need to. In the example, the IPSec tunnel is between two routers with a PIX in between. In your case the middle PIX config is still the same and you can simple translate the router IPSec setup to the commands needed for your two PIX.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml
0
 
LVL 1

Author Comment

by:ltello
ID: 10924764
Thanks.

I finally established the VPN tunnel and had a couple of packets going back and forward.

The only thing that I wasn’t expecting to happen is that packets needed to be authorized by an access-list in both directions at both interfaces (dmz and outside). Do you happen to know why?

access-list testdmz esp host xxx.xxx.xxx.xxx host yyy.yyy.yyy.yyy
access-list testdmz esp host yyy.yyy.yyy.yyy host xxx.xxx.xxx.xxx
access-list testdmz udp host xxx.xxx.xxx.xxx eq isakmp host yyy.yyy.yyy.yyy eq isakmp
access-list testdmz udp host yyy.yyy.yyy.yyy eq isakmp host xxx.xxx.xxx.xxx eq isakmp

access-list testoutside esp host xxx.xxx.xxx.xxx host yyy.yyy.yyy.yyy
access-list testoutside esp host yyy.yyy.yyy.yyy host xxx.xxx.xxx.xxx
access-list testoutside udp host xxx.xxx.xxx.xxx eq isakmp host yyy.yyy.yyy.yyy eq isakmp
access-list testoutside udp host yyy.yyy.yyy.yyy eq isakmp host xxx.xxx.xxx.xxx eq isakmp

As the document you described, only udp 500 (isakmp) and protocol 50 (esp) need to be opened to establish a VPN tunnel from site to site.
0
 
LVL 13

Expert Comment

by:td_miles
ID: 10925381
which interfaces, in which direction (on which PIX) did you have to apply those ACL's to for it to work ?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10926309
You need two way access lists as the VPN can be initiated from either end.  Think of each PIX as a 'VPN Server'.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5512 LAN Config 16 78
switch design question 6 42
Cisco 3560 Switch with Multiple Gateways 10 74
Cisco 3800 series and WISM2 1 30
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question