RE: [fw-wiz] PIX to PIX IPSec Tunnel Through a PIX

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 03/03/04

  • Next message: Paul Matuszewski: "[fw-wiz] PIX TO PIX IPSEC w/ NAT on either side" 
    To: "Al Cooper" <alc@tlynx.com>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 3 Mar 2004 08:51:03 -0500

    I see big problems with PAT, especially if it's a global PAT through the interface of the 515E. I would create a static NAT on the 515E for the 501. Then it's just an issue of allowing the right protocols. Minimally, you will need to allow ISAKMP (UDP/500) and ESP through the 515E in both directions.

    PaulM

    -----Original Message-----
    I am attempting to establish a IPSec tunnel where 3 pix's are involved. I
    have a PIX 506E on one end of the tunnel. On the other end is a PIX 515E
    running PAT, that needs to pass through the IPSec tunnel to an internal 501
    where the tunnel will be terminated (through the Border firewall and
    terminated on the Departmental firewall).

    I am finding very little information on the proper way to set-up this
    network configuration. I have read that I may need to use NAT instead of
    PAT, and use the Nat-T function on the 515E. But other than that I am lost.
    Can you Firewall experts lead me in the right direction?

    Thanks in advance for your help,

    Al Cooper

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul Matuszewski: "[fw-wiz] PIX TO PIX IPSEC w/ NAT on either side"

    Relevant Pages

    • Site-to-site VPN with GRE over IPSec
      ... I'm fairly new to site-to-site VPN technology. ... I now have 2 new Cisco routers, a 2821 with IOS Firewall/VPN and a 2811 with ... site that has a 2801 with basic IP IOS and a PIX 506. ... GRE over IPSec tunnel starting from the 2821 and ending at the PIX since the ...
      (comp.dcom.sys.cisco)
    • Configure Cisco PIX515e PPTP VPN Clients to allow access to another network across a IPSEC Tunnel
      ... We have a site to site IPSEC tunnel between two offices both running ... on PIX 515e's version 6.3and in our main site the PIX is ... configured for PPTP VPN clients to connect. ... whether it's even worth attempting? ...
      (comp.dcom.sys.cisco)
    • [fw-wiz] PIX to PIX IPSec Tunnel Through a PIX
      ... I am attempting to establish a IPSec tunnel where 3 pix's are involved. ... have a PIX 506E on one end of the tunnel. ... running PAT, that needs to pass through the IPSec tunnel to an internal 501 ... terminated on the Departmental firewall). ...
      (Firewall-Wizards)
    • [fw-wiz] PIX to PIX IPSec Tunnel Through a PIX
      ... I am attempting to establish a IPSec tunnel where 3 pix's are involved. ... have a PIX 506E on one end of the tunnel. ... running PAT, that needs to pass through the IPSec tunnel to an internal 501 ... terminated on the Departmental firewall). ...
      (Firewall-Wizards)
    • PIX/Sonicwall/Checkpoint IPSEC vpn to ISA
      ... articles. ... I have a PIX 506E and vpn does not work or I ... >IPSEC tunnel to an ISA server from other ...
      (microsoft.public.isaserver)