Re: [fw-wiz] firewall-wizards Digest, Vol 40, Issue 6

On Fri, Aug 21, 2009 at 11:27:48AM -0500, jamesworld@xxxxxxxxxxxxxxxxx wrote:
Yes, this is easy.

You need an extra an extra address on the outside to create a static nat
Then you need to allow the traffic to that IP address (udp/500,
udp/4500, ESP) by way of an access-list.

It would look something like below. is an example outside address is an example inside address (vpn terminating device)
inside is assumed. It could be any other interface (for the static command)

static (inside,outside) netmask
access-list acl-outside-in permit udp any host eq 500
access-list acl-outside-in permit udp any host eq 4500
access-list acl-outside-in permit esp any host
access-group acl-outside-in in interface outside

Thanks, that looks plausible. I was half-expecting the PIX to
not want to permit esp to any host other than itself.

firewall-wizards mailing list