RE: [fw-wiz] Pass-through VPN
From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 09/30/04
- Previous message: Mark Tinberg: "Re: [fw-wiz] Log checking?"
- Maybe in reply to: Roberts, Shawn: "[fw-wiz] Pass-through VPN"
- Next in thread: Roberts, Shawn: "RE: [fw-wiz] Pass-through VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Roberts, Shawn" <Shawn.Roberts@ualberta.ca>, <firewall-wizards@honor.icsalabs.com> Date: Thu, 30 Sep 2004 15:43:55 -0400
> -----Original Message-----
> This is a site to site VPN with one termination box inside
> out firewall and the other on the outside of the firewall
> (where the traffic comes from). Both of these boxes are out
> of our hands and we just have to ensure when the firewall
> goes in the traffic still keeps going through. The VPN does
> not terminate on the PIX at all, just need the traffic to go
> untouched through it.
>
> I was planning on:
>
>
> access-list 131 permit udp x.x.x.x host X.X.X.X eq isakmp
> access-list 131 permit esp x.x.x.x host X.X.X.X
> access-list 131 permit ahp x.x.x.x host X.X.X.X
>
> Just hoping this is correct. Thanks again
Yes, assuming that x.x.x.x always initiates the connection, that will
allow the correct traffic to pass. The other thing, and I'm guessing
this is done or you plan on doing it, is that X.X.X.X must be a static
NAT so that the ISAKMP source ports aren't obscured.
PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Mark Tinberg: "Re: [fw-wiz] Log checking?"
- Maybe in reply to: Roberts, Shawn: "[fw-wiz] Pass-through VPN"
- Next in thread: Roberts, Shawn: "RE: [fw-wiz] Pass-through VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
