WATCHGUARD FIREBOX II AND CISCO PIX VPNS

[ittech2]

Can anyone tell me how to allow access of a Cisco PIX VPN to come through my Watchguard Firewall FBII ver 5.0? Ports needed are 50, 51, 500, (esp,udp). I have software support people who need to get to one of my internal servers and they are using PIX VPN. I set up an IPSec Service with 50, 51, 500 with outgoing to their routable address from any on my side. Incoming is what I am having trouble with. I have un-routable addresses on my side. How do I set the incoming up so I can Nat to the correct server? I have installed their key and can connect to their site but they cannot get to me.

ittech2

 

[Ntr0P]

Is the PIX connecting to a device behind the FB? As long as your service is configured correctly, it shouldn't be a problem. Basically you are just setting up IPSec passthrough (instructions for this at WatchGuard's site).

Just for clarification's sake, that is IP protocols 50 and 51 (not ports).

 

[ittech2]

Yes the PIX is connecting to a device behind my firewall. I followed instructions from Watchguard but my device behind my firewall is unroutable address and I can't seem to point the incoming just to the device's address. Outgoing working fine but incoming from PIX client not.

 

[Ntr0P]

You shouldn't have an issue pointing the rule to an inside private IP... Incoming: To: 192.168.1.1 (or whatever). What exactly occurs when you try to allow traffic inbound to a specific server? Additionally, if you can't set it to a specific IP, what do you have it set to?

 

[stiles123]

We had a problem using Cisco VPN for two users inside our network trying to get out via Cisco VPNs. The Cisco client actually wanted to use ip protocol 50, udp port 50 and tcp port 12002. Try adding these to the definition for IPsec and see if it makes a difference.

 

[ittech2]

Thanks to all. I rechecked my configuation (didn't change anything on my IPSec setup) But did a cold restart on the Firebox and seems to work OK now.