Re: [fw-wiz] firewall-wizards Digest, Vol 40, Issue 6



On Fri, Aug 21, 2009 at 11:27:48AM -0500, jamesworld@xxxxxxxxxxxxxxxxx wrote:
Yes, this is easy.

You need an extra an extra address on the outside to create a static nat
for.
Then you need to allow the traffic to that IP address (udp/500,
udp/4500, ESP) by way of an access-list.

It would look something like below.
192.0.0.20 is an example outside address
10.5.5.5 is an example inside address (vpn terminating device)
inside is assumed. It could be any other interface (for the static command)

Configuration
--------------------
static (inside,outside) 192.0.0.20 10.5.5.5 netmask 255.255.255.255
access-list acl-outside-in permit udp any host 192.0.0.20 eq 500
access-list acl-outside-in permit udp any host 192.0.0.20 eq 4500
access-list acl-outside-in permit esp any host 192.0.0.20
access-group acl-outside-in in interface outside

Thanks, that looks plausible. I was half-expecting the PIX to
not want to permit esp to any host other than itself.

-dsr-
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards