Firewall Wizards mailing list archives
RE: Pass-through VPN
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Thu, 30 Sep 2004 15:43:55 -0400
-----Original Message----- This is a site to site VPN with one termination box inside out firewall and the other on the outside of the firewall (where the traffic comes from). Both of these boxes are out of our hands and we just have to ensure when the firewall goes in the traffic still keeps going through. The VPN does not terminate on the PIX at all, just need the traffic to go untouched through it. I was planning on: access-list 131 permit udp x.x.x.x host X.X.X.X eq isakmp access-list 131 permit esp x.x.x.x host X.X.X.X access-list 131 permit ahp x.x.x.x host X.X.X.X Just hoping this is correct. Thanks again
Yes, assuming that x.x.x.x always initiates the connection, that will allow the correct traffic to pass. The other thing, and I'm guessing this is done or you plan on doing it, is that X.X.X.X must be a static NAT so that the ISAKMP source ports aren't obscured. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pass-through VPN Roberts, Shawn (Sep 30)
- Re: Pass-through VPN Josh Welch (Sep 30)
- <Possible follow-ups>
- RE: Pass-through VPN Roberts, Shawn (Sep 30)
- RE: Pass-through VPN Melson, Paul (Sep 30)
- RE: Pass-through VPN Roberts, Shawn (Sep 30)
- RE: Pass-through VPN Melson, Paul (Sep 30)