Solved

Site-to-Site VPN from behind a Firewall

Posted on 2008-10-21
4
531 Views
Last Modified: 2013-11-05
Is it possible to establish a Site-to-Site VPN between two devices where one of them is behind a firewall?  Here is the setup:

<datacenter firewall> - Cisco PIX
      |
{internet}
      |
<destination facility firewall> - not in my control
      |
10.x.x.x address
<my firewall device> - most likely a juniper SSG or Cisco ASA
      |
<my equipment>

Basically, the firewall is in a facility and on a network with either a 10.x.x.x or 192.169.x.x address.  Is it possible to establish a site-to-site VPN between my firewall device and the datacenter?  I'm reading online about NAT Traversal, but I'm not sure that is what needs to be setup.  I'm quite certain that the destination firewall (that is not in my control) is setup to allow VPN tunnels that are established from within.
0
Comment
Question by:itneonatal
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
stsonline earned 500 total points
ID: 22771174
Sure... all you need to do is create firewall rules to pass Isakmp and IPSec traffic through it. For example, if the source VPN peer is 12.34.56.78 and the VPN device inside your firewall is 87.65.43.21, these rules should work:

access-list outside_acl extended permit esp host 12.34.56.78 host 87.65.43.21
access-list outside_acl extended permit gre host 12.34.56.78 host 87.65.43.21
access-list outside_acl extended permit udp host 12.34.56.78 host 87.65.43.21 eq 4500
access-list outside_acl extended permit udp host 12.34.56.78 host 87.65.43.21 eq isakmp

If you restrict access from inside out, you'll need return rules. You may also need to route the traffic through the firewall.
0
 

Author Comment

by:itneonatal
ID: 22771192
Would these rules be needed on the "destination firewall"?  Reason I ask is that the device is not under my control.
0
 
LVL 10

Assisted Solution

by:stsonline
stsonline earned 500 total points
ID: 22954700
Unfortunately yes, these would need to be on the destination firewall. Otherwise, IPSec will not pass through the destination firewall and will be blocked at that point.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question