Solved

Site-to-Site VPN from behind a Firewall

Posted on 2008-10-21
4
528 Views
Last Modified: 2013-11-05
Is it possible to establish a Site-to-Site VPN between two devices where one of them is behind a firewall?  Here is the setup:

<datacenter firewall> - Cisco PIX
      |
{internet}
      |
<destination facility firewall> - not in my control
      |
10.x.x.x address
<my firewall device> - most likely a juniper SSG or Cisco ASA
      |
<my equipment>

Basically, the firewall is in a facility and on a network with either a 10.x.x.x or 192.169.x.x address.  Is it possible to establish a site-to-site VPN between my firewall device and the datacenter?  I'm reading online about NAT Traversal, but I'm not sure that is what needs to be setup.  I'm quite certain that the destination firewall (that is not in my control) is setup to allow VPN tunnels that are established from within.
0
Comment
Question by:itneonatal
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
stsonline earned 500 total points
Comment Utility
Sure... all you need to do is create firewall rules to pass Isakmp and IPSec traffic through it. For example, if the source VPN peer is 12.34.56.78 and the VPN device inside your firewall is 87.65.43.21, these rules should work:

access-list outside_acl extended permit esp host 12.34.56.78 host 87.65.43.21
access-list outside_acl extended permit gre host 12.34.56.78 host 87.65.43.21
access-list outside_acl extended permit udp host 12.34.56.78 host 87.65.43.21 eq 4500
access-list outside_acl extended permit udp host 12.34.56.78 host 87.65.43.21 eq isakmp

If you restrict access from inside out, you'll need return rules. You may also need to route the traffic through the firewall.
0
 

Author Comment

by:itneonatal
Comment Utility
Would these rules be needed on the "destination firewall"?  Reason I ask is that the device is not under my control.
0
 
LVL 10

Assisted Solution

by:stsonline
stsonline earned 500 total points
Comment Utility
Unfortunately yes, these would need to be on the destination firewall. Otherwise, IPSec will not pass through the destination firewall and will be blocked at that point.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now