Avatar of Compuz
Compuz asked on

Need to create a dmz and "sandwiching VPN device?"

Ok, so I was on "another site" and they were talking way above me. I am technical inclined, but not a Cisco expert by any means.

I have a computer that sits behind a Pix 506 and Netopia router set on clearsailing with nat enabled on both. The computer inside all this has a route set in it so if I connect to a certain website it will redirect to an internal router that will then attempt to ping 1 of 4 predefined IP addresses on the web. If the router gets replies from the ping, it will then start a VPN to the "other side" and the information exchange to this website begins. If there is no response from the ping, the router goes into dial backup and communication is slooooow.

Here is a basic setup

PC  -
Supplied Cisco Router -  - I have no access to configure/change this device
Pix inside -
Pix outside -
Netopia Inside -
 Netopia Ouside -
I have been able to configure the PIX so my pings are getting a response and I stay out of dial backup. However, the PIX is blocking IPSec (or so I'm told) traffic so no data is moving back and forth.

From my understanding, I need to create a DMZ, an access list, and such, but I do not know how to do that. And as I search, I think I'm just confusing myself further.

If there is someone that could help me out. The commands for the PIX would be ideal

Thanks in advance for any help.
CiscoHardware Firewalls

Avatar of undefined
Last Comment

8/22/2022 - Mon

To confirm, is it the device that is terminating the VPN? Could you post the config of your pix?

The device is the one that will start the ping, then if successful, start the VPN. So long story short, yes it is the local  end of the VPN. The Pix has nothing to do with the VPN other then pass traffic.

Current Config from the PIX

PIX Version 6.3(1)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password pzo99KnjigybDpoA encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname pixfirewall                    
domain-name ciscopix.com                        
clock timezone CST -6                    
clock summer-time CDT recurring                              
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
name Fed-Ping-2                              
name Fed-Ping-3                              
name Fed-Ping-4                              
object-group service WebBrowse tcp                                  
  port-object eq https                      
  port-object eq www                    
  port-object eq hostname                        
  port-object eq pop3                    
  port-object eq pop2                    
object-group network Fed-Ping                            
  description Address Fed router needs to ping                                              
  network-object Fed-Ping-3                                          
  network-object Fed-ping-1                                          
  network-object Fed-Ping-4                                          
  network-object Fed-Ping-2                                          
access-list inside_access_in permit ip host Autosig any                                                      
access-list inside_access_in permit ip host MichelleBrunger any                                                              
access-list inside_access_in permit ip host Fedline-PC any                                                          
access-list inside_access_in permit ip host PCS_VPN_Backup any                                                              
access-list inside_access_in deny ip any any                                            
access-list allow_ping permit icmp any any sourc                                              
access-list allow_ping permit icmp any any unreachable                                                      
access-list allow_ping permit icmp any any time-exceeded                                                        
pager lines 24              
logging on          
logging timestamp                
logging trap informational                          
icmp permit any outside                      
mtu outside 1500                
mtu inside 1500              
ip address outside                                              
ip address inside                                          
ip audit name Drop attack action alarm drop                                          
ip audit interface outside Drop                              
ip audit interface inside Drop                              
ip audit info action alarm                          
ip audit attack action alarm drop                                
pdm location Family-Network inside                                                
pdm location inside                                            
pdm location Fed-Ping-3 outside                                              
pdm location Fed-ping-1 outside                                              
pdm location Fed-Ping-4 outside                                              
pdm location Fed-Ping-2 outside                                              
pdm group Fed-Ping outside                          
pdm logging emergencies 100                          
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0 0                                  
access-group allow_ping in interface outside                                            
access-group inside_access_in in interface inside                                                
route outside 1                                            
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
aaa authentication http console LOCAL                                    
aaa authorization command LOCAL                              
http server enable                  
http inside                                    
http Family-Network inside                                        
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
telnet timeout 5                
ssh timeout 5            
console timeout 0                
dhcpd auto_config outside                        
username backup password uaGWJbWctUTmT2Ux encrypted privilege 15                                                                
username mikeadmin password JnFUdG0EtWWG4v5E encrypted privilege 3                                                                  
username family015 password 8PywcgXtcU7NvIoo encrypted privilege 3                                                                  
username mena password W3jAFswBn342jFgr encrypted privilege 3                                                            
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15                                                              
username amc01 password MqoqBeUU1juVFHeM                                        
username jeffc password LzFxEvZvUJa213xc encrypted privilege 15                                                              
privilege show level 0 command version                                      
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
:  end

ok, so to allow vpn traffic in. First you will need a static nat that will allow your VPN endpoint to be accessible from the internet:-

static (inside, outside) udp 4500 4500
static (inside, outside) udp 500 500
static (inside, outside) esp

This will translate (or whatever IP in your range you assign to this router) to the internal address for the ports required for an IPSEC vpn.

Next, modify the access list on the outside interface:-

access-list allow_ping permit icmp any any sourc                                              
access-list allow_ping permit icmp any any unreachable                                                      
access-list allow_ping permit icmp any any time-exceeded      
access-list allow_ping permit udp 500 any host
access-list allow_ping permit udp 4500 any host
access-list allow_ping permit esp any host

Thsi will allow anyone on the internet to connect to the vpn, so you may want to lock it down to the speciffic host that tries to connect.

Bear in mind your netopia router will also need to be configured to forward the VPN traffic, and the VPN will need to support NAT Traversal (NAT-T)
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck

As I understood it, if I set the Netopia on clearsailing it would not block anything, that is from Motorola tech. Is that not correct?

Thank you for the Pix info, I started entering it and on the command: static (inside, outside) esp  when I entered it, the pix returned: Invalid Global IP address esp. Is it missing something?

Thank you again for your help


Another question, will any of this effect the normal web traffic from the rest of the 192.168.131.x network? If I make a static route on my outside interface ( and point it to, does that point all inbound traffic (i.e. my VPN and normal web traffic) to the device.  I ask this as when I entered the first few lines, I seem to have lost "normal" web browsing from other machines on the segment.

Not sure about the Moto tech, but it is my understanding that clearsailing (vs SilentRunning, LANLocked) are 3 diff levels of the routers firewall config.  SilentRunning is the default setting which opens the usual ports (80, 110, 25, 23, etc) & all others (incl VPN/1723) are closed.  I would manually open the port in the Netopia - of which the config may be based on your ISP & what type of IP they are providing your acct...

Are you recieving a dynamic or a single static ip from the ISP?  Also, who is your ISP?  

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

We have 5 static IP from AT&T. I found out that the clearsailing is "wide open. I plan on opeing up the netopia while working on the PIx to make sure all works or limit complications. Then once everything is working, I can close the Netopia around the VPN.

As a side note, I had to reset the PIX after I added the lines above. Once put in, no one else could see the internet. I am guessing this is why another person I was talking to mentioned a DMZ? Anyone have an idea?


Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Press2Esc's solution with the netopia box sounds like a very good plan as it will simplify the pixes config somewhat.
By the way, I realised you can't statically nat esp traffic, but I don't think you would need to, the udp ports should be enough.

If you do manage to get the netopia talking pppoe to the pix, you'll still need static nats, but you can do a direct ip to ip nat from one of the IPs in your range to the cisco router instead of doing port based translation.
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Sorry I've been out of the loop, Company temp pulled me on this. I am going onsite on 6-10 and will reconfigure as above. I'll let you know what happens.

Thanks for the input
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

Compuz, did you get trapped in the DMZ???  Shall we send out the posse'