Firewall Wizards mailing list archives
Re: firewall-wizards Digest, Vol 40, Issue 6
From: Dan Ritter <dsr () tao merseine nu>
Date: Tue, 25 Aug 2009 11:52:37 -0400
On Fri, Aug 21, 2009 at 11:27:48AM -0500, jamesworld () intelligencia com wrote:
Yes, this is easy. You need an extra an extra address on the outside to create a static nat for. Then you need to allow the traffic to that IP address (udp/500, udp/4500, ESP) by way of an access-list. It would look something like below. 192.0.0.20 is an example outside address 10.5.5.5 is an example inside address (vpn terminating device) inside is assumed. It could be any other interface (for the static command) Configuration -------------------- static (inside,outside) 192.0.0.20 10.5.5.5 netmask 255.255.255.255 access-list acl-outside-in permit udp any host 192.0.0.20 eq 500 access-list acl-outside-in permit udp any host 192.0.0.20 eq 4500 access-list acl-outside-in permit esp any host 192.0.0.20 access-group acl-outside-in in interface outside
Thanks, that looks plausible. I was half-expecting the PIX to not want to permit esp to any host other than itself. -dsr- _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: firewall-wizards Digest, Vol 40, Issue 6 jamesworld (Aug 23)
- Re: firewall-wizards Digest, Vol 40, Issue 6 Dan Ritter (Aug 25)