?
Solved

Site-to-Site VPN from behind a Firewall

Posted on 2008-10-21
4
Medium Priority
?
536 Views
Last Modified: 2013-11-05
Is it possible to establish a Site-to-Site VPN between two devices where one of them is behind a firewall?  Here is the setup:

<datacenter firewall> - Cisco PIX
      |
{internet}
      |
<destination facility firewall> - not in my control
      |
10.x.x.x address
<my firewall device> - most likely a juniper SSG or Cisco ASA
      |
<my equipment>

Basically, the firewall is in a facility and on a network with either a 10.x.x.x or 192.169.x.x address.  Is it possible to establish a site-to-site VPN between my firewall device and the datacenter?  I'm reading online about NAT Traversal, but I'm not sure that is what needs to be setup.  I'm quite certain that the destination firewall (that is not in my control) is setup to allow VPN tunnels that are established from within.
0
Comment
Question by:itneonatal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
stsonline earned 2000 total points
ID: 22771174
Sure... all you need to do is create firewall rules to pass Isakmp and IPSec traffic through it. For example, if the source VPN peer is 12.34.56.78 and the VPN device inside your firewall is 87.65.43.21, these rules should work:

access-list outside_acl extended permit esp host 12.34.56.78 host 87.65.43.21
access-list outside_acl extended permit gre host 12.34.56.78 host 87.65.43.21
access-list outside_acl extended permit udp host 12.34.56.78 host 87.65.43.21 eq 4500
access-list outside_acl extended permit udp host 12.34.56.78 host 87.65.43.21 eq isakmp

If you restrict access from inside out, you'll need return rules. You may also need to route the traffic through the firewall.
0
 

Author Comment

by:itneonatal
ID: 22771192
Would these rules be needed on the "destination firewall"?  Reason I ask is that the device is not under my control.
0
 
LVL 10

Assisted Solution

by:stsonline
stsonline earned 2000 total points
ID: 22954700
Unfortunately yes, these would need to be on the destination firewall. Otherwise, IPSec will not pass through the destination firewall and will be blocked at that point.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question