Re: firewall-wizards Digest, Vol 40, Issue 6

[<jamesworld () intelligencia com>]

Yes,  this is easy.

You need an extra an extra address on the outside to create a static nat for.
Then you need to allow the traffic to that IP address (udp/500, 
udp/4500, ESP) by way of an access-list.

It would look something like below.
192.0.0.20 is an example outside address
10.5.5.5 is an example inside address (vpn terminating device)
inside is assumed.  It could be any other interface (for the static command)

Configuration
--------------------
static (inside,outside) 192.0.0.20 10.5.5.5 netmask 255.255.255.255
access-list acl-outside-in permit udp any host 192.0.0.20 eq 500
access-list acl-outside-in permit udp any host 192.0.0.20 eq 4500
access-list acl-outside-in permit esp any host 192.0.0.20
access-group acl-outside-in in interface outside

At 11:00 AM 8/21/2009, firewall-wizards-request () listserv icsalabs com wrote:
> Message: 1
> Date: Wed, 19 Aug 2009 13:52:53 -0400
> From: Dan Ritter <dsr () tao merseine nu>
> Subject: [fw-wiz] PIX in multiple IPsec roles
> To: firewall-wizards () listserv icsalabs com
> Message-ID: <20090819175253.GZ23234 () tao merseine nu>
> Content-Type: text/plain; charset=us-ascii
>
>
> Is there a plausible way to convince a PIX to pass through an
> IPsec tunnel to another device while simultaneously being an
> endpoint for a different tunnel?
>
> I have sites A, B, and C. Each has a PIX515E with tunnels to the
> other two sites.
>
> Now a vendor wants to establish a tunnel to a device inside
> PIX A. I seem to be lacking the right keywords to search for
> this.
>
> -dsr-

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards