PIX 506e Allow VPN traffic for Vender

Posted on 2007-08-03
Last Modified: 2010-04-09
I have a vender that needs to set up a VPN that will pass through my pix 506e firewall the vender requested the following:

Outbound from router
Udp 4500 to
GRE to
Udp 500 to
And esp to

Inbound from
Udp 4500 to
GRE to
Udp 500 to
And esp to

They vender also requests that I give them one to one address translation and not pat.

Can anyone provide the commands I need to run on the firewall?

Question by:dupont2406
    LVL 32

    Expert Comment

    First, do you have a free public ip that is not used ?

    Second, can you draw an ascii diagram here ?

    Third, both are private ip addresses so, what will be vendor side public ip ?

    LVL 79

    Accepted Solution

    Basic concept here:

    all outbound is already allowed, no acls required.
    where "outside_in" is your existing acl if you have one
    where is a spare public IP address
    where is the private ip address of the host inside the network

    access-list outside_in permit udp host eq 4500 host eq 4500
    access-list outside_in permit udp host eq 500 host eq 500
    access-list outside_in permit gre host  host
    access-list outside_in permit esp host  host
    access-group outside_in in interface outside
    static (inside,outside) netmask


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now