Opening pix 501 ports for vpn and ras

mathelizemathelize Member Posts: 66 ■■□□□□□□□□
Hello, I'd like to open pix 501 ports to allow traffic from the internet to terminate on Windows server 2008 used as a VPN server. The pix is functioning already as a remote access vpn server and it's working fine. I wonder if I could use the win2k8 server as a site to site vpn server and the pix still sitting in front as a firewall.
Any help will be very much appreciated.
Thanks!
In my Lab
I have access to any cisco equipment I need

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Probably better off in the off-topic or CCSP section (really off topic but I know it's easier to post somewhere more relevant).
    Anyway it depends on what protocols you are going to use. For the usual IPSec ESP setup you'd need to permit ESP (protocol 50), UDP 500 (ISAKMP) and I advise adding UDP 4500 (NAT-T , allows for remote clients behind PAT); from the remote host to your inside VPN server.
    For others (L2TP etc.) just use the correct protocols instead of those listed below.


    e.g.

    If your VPN server's pub IP was to be 100.100.100.100, priv = 192.168.100.100, and the ACLs mentioned here are already applied to the interfaces...

    static (VPN-DMZ,OUTSIDE) 100.100.100.100 192.168.100.100
    !
    access-list OUTSIDE_in permit esp any host 100.100.100.100
    access-list OUTSIDE_in permit udp any host 100.100.100.100 eq 500
    access-list OUTSIDE_in permit udp any host 100.100.100.100 eq 4500
    !
    access-list VPN-DMZ_in permit esp host 192.168.100.100 any
    access-list VPN-DMZ_in permit udp host 192.168.100.100 any eq 500
    access-list VPN-DMZ_in permit udp host 192.168.100.100 any eq 4500
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.