Firewall Wizards mailing list archives

RE: Pass-through VPN

From: "Melson, Paul" <PMelson () sequoianet com>
Date: Thu, 30 Sep 2004 15:43:55 -0400

-----Original Message-----
This is a site to site VPN with one termination box inside 
out firewall and the other on the outside of the firewall 
(where the traffic comes from). Both of these boxes are out 
of our hands and we just have to ensure when the firewall 
goes in the traffic still keeps going through.  The VPN does 
not terminate on the PIX at all, just need the traffic to go 
untouched through it.  

I was planning on:


access-list 131 permit udp x.x.x.x host X.X.X.X eq isakmp 
access-list 131 permit esp x.x.x.x host X.X.X.X 
access-list 131 permit ahp x.x.x.x host X.X.X.X 

Just hoping this is correct.  Thanks again



Yes, assuming that x.x.x.x always initiates the connection, that will
allow the correct traffic to pass.  The other thing, and I'm guessing
this is done or you plan on doing it, is that X.X.X.X must be a static
NAT so that the ISAKMP source ports aren't obscured.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Pass-through VPN Roberts, Shawn (Sep 30)
- Re: Pass-through VPN Josh Welch (Sep 30)
- <Possible follow-ups>
- RE: Pass-through VPN Roberts, Shawn (Sep 30)
- RE: Pass-through VPN Melson, Paul (Sep 30)
- RE: Pass-through VPN Roberts, Shawn (Sep 30)
- RE: Pass-through VPN Melson, Paul (Sep 30)