Solved

Site-to-Site VPN from behind a Firewall

Posted on 2008-10-21
4
535 Views
Last Modified: 2013-11-05
Is it possible to establish a Site-to-Site VPN between two devices where one of them is behind a firewall?  Here is the setup:

<datacenter firewall> - Cisco PIX
      |
{internet}
      |
<destination facility firewall> - not in my control
      |
10.x.x.x address
<my firewall device> - most likely a juniper SSG or Cisco ASA
      |
<my equipment>

Basically, the firewall is in a facility and on a network with either a 10.x.x.x or 192.169.x.x address.  Is it possible to establish a site-to-site VPN between my firewall device and the datacenter?  I'm reading online about NAT Traversal, but I'm not sure that is what needs to be setup.  I'm quite certain that the destination firewall (that is not in my control) is setup to allow VPN tunnels that are established from within.
0
Comment
Question by:itneonatal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 10

Accepted Solution

by:
stsonline earned 500 total points
ID: 22771174
Sure... all you need to do is create firewall rules to pass Isakmp and IPSec traffic through it. For example, if the source VPN peer is 12.34.56.78 and the VPN device inside your firewall is 87.65.43.21, these rules should work:

access-list outside_acl extended permit esp host 12.34.56.78 host 87.65.43.21
access-list outside_acl extended permit gre host 12.34.56.78 host 87.65.43.21
access-list outside_acl extended permit udp host 12.34.56.78 host 87.65.43.21 eq 4500
access-list outside_acl extended permit udp host 12.34.56.78 host 87.65.43.21 eq isakmp

If you restrict access from inside out, you'll need return rules. You may also need to route the traffic through the firewall.
0
 

Author Comment

by:itneonatal
ID: 22771192
Would these rules be needed on the "destination firewall"?  Reason I ask is that the device is not under my control.
0
 
LVL 10

Assisted Solution

by:stsonline
stsonline earned 500 total points
ID: 22954700
Unfortunately yes, these would need to be on the destination firewall. Otherwise, IPSec will not pass through the destination firewall and will be blocked at that point.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question