Re: [fw-wiz] firewall-wizards Digest, Vol 40, Issue 6
- From: Dan Ritter <dsr@xxxxxxxxxxxxxxx>
- Date: Tue, 25 Aug 2009 11:52:37 -0400
On Fri, Aug 21, 2009 at 11:27:48AM -0500, jamesworld@xxxxxxxxxxxxxxxxx wrote:
Yes, this is easy.
You need an extra an extra address on the outside to create a static nat
for.
Then you need to allow the traffic to that IP address (udp/500,
udp/4500, ESP) by way of an access-list.
It would look something like below.
192.0.0.20 is an example outside address
10.5.5.5 is an example inside address (vpn terminating device)
inside is assumed. It could be any other interface (for the static command)
Configuration
--------------------
static (inside,outside) 192.0.0.20 10.5.5.5 netmask 255.255.255.255
access-list acl-outside-in permit udp any host 192.0.0.20 eq 500
access-list acl-outside-in permit udp any host 192.0.0.20 eq 4500
access-list acl-outside-in permit esp any host 192.0.0.20
access-group acl-outside-in in interface outside
Thanks, that looks plausible. I was half-expecting the PIX to
not want to permit esp to any host other than itself.
-dsr-
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Re: [fw-wiz] firewall-wizards Digest, Vol 40, Issue 6
- From: jamesworld
- Re: [fw-wiz] firewall-wizards Digest, Vol 40, Issue 6
- Prev by Date: Re: [fw-wiz] checkpoint authentication on external interface
- Next by Date: Re: [fw-wiz] checkpoint authentication on external interface
- Previous by thread: Re: [fw-wiz] firewall-wizards Digest, Vol 40, Issue 6
- Next by thread: [fw-wiz] Collaborative Network Forensics
- Index(es):
