[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco router to PIX IPSEC VPN access-lists

Posted on 2004-11-18
3
Medium Priority
?
161 Views
Last Modified: 2010-04-17
Quick question.  I have a network with PIX firewalls in the field and a central office running a beefed-up Cisco router as the central endpoint.  This was done to allow for VPN failover in the future.  Everything is working wonderfully, but I am stuck with the access-lists.  We have 3 static hosts sitting behind the central router taht need to be accessible to the internet for web, ftp, etc.  If I put in the access-lists to allow this, what do I need to put in to keep allowing the IPSEC traffic?  I was going to put jut a standard access-list on the s0 interface of the router, but think that I need an "access-list 101 permit ipsec any (inside-host)" type statement.  
0
Comment
Question by:coastalinteractive2
  • 2
3 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 12623021
Hi coastalinteractive2,
access-list 101 permit udp any any eq 500
access-list 101 permit esp any any

udp 500 is used for authentication and esp (ip protocol 50) is used to carry the encrypted traffic.
0
 

Author Comment

by:coastalinteractive2
ID: 12646561
Is this true even if the router itself is the VPN endpoint?  I thought that statement allowed the router to pass the traffic through to an endpoint behind it?
0
 
LVL 36

Accepted Solution

by:
grblades earned 200 total points
ID: 12647164
It would depend where the access-list were applied. If an access-list is applied to the inbound direction on the internet connecting interface then these two entries would need to be added.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question