VPN Behind 515

[flaz]

Is there a way to open Cisco VPN Clients (ver.3.5.2) behind our PIX 515 so we don't have to build so many VPN Pipes. Having multiple Connections on the is simpler then building each pipe on the PIX.
We have a large list of clients using PIX firewalls that we need to connect to. Setting up Cisco VPN Dialers is easier. Right now we must dial-out to ISP then open the VPN connection. Locally we have a 2 Bound T's to the net. It would be much faster then Dialup.
Any Ideas.
Thanks
FLAZ

 

[yizhar]

HI.

For the local VPN client you will need to:

* Use STATIC nat mapping.
* Allow the following traffic via the firewall:
UDP port 500 (isakmp)
IP protocol 50 (esp)

If I understand you correctly, then it indeed seems a better solution for you to use vpn client, not only for simpler management but also for better security (you can access the remote clients, but their internal hosts cannot access yours).

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[flaz]

For the static mapping I assume I should add the termination points to my access list? How do I add the udp and ip esp commands? I tried it in my fixup protocol (where you add ports) commands and they did not take. Not to sound too inexperienced but what are the line commands I need to add?
Thanks
FLAZ

 

[yizhar]

HI.

111.111.111.111 = a registered ip address from same subnet as pix own outside interface.

10.10.10.10 = your client internal ip address.

static 111.111.111.111 10.10.10.10
access-list fromoutside permit udp any host 111.111.111.111 eq 500
access-list fromoutside permit esp any host 111.111.111.111
access-group fromoutside in interface outside

Of course, you probably have an existing access-list, so you only need to add the related lines to it.

Fixup is something else, not related to your question.

Bye

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar