Announcement

Collapse
No announcement yet.

cisco vnp client through an 871 router to a pix 501

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco vnp client through an 871 router to a pix 501

    hi all,

    i've been trying to do this for years now, but without success. i gave up on this ages back, but thought i'd try it again.

    what i want to do, is simple, conceptually at least.

    i want to connect to my home network while i'm on the road.

    here's the basic layout:

    PC -------> *internet* -------> cisco 871 -------> pix 501 -------> internal network

    the 871's outside interface's assigned an address through dhcp, but i have an internal server running a no-ip client.

    i know that i need to pass certain things through the 871 to the 501, but not only do i not really know what too pass through, but i don't know the commands to do so.

    from my research i have gained the following, but i'm pretty sure that it's not all that i need.

    1. enable nat traversal (on the pix?)
    2. some port redirections
    3. some protocol passthroughs

    i'll be honest, i was much more savvy about this some time back, but now, i'm really rusty.

    any and all help will be greatly appreciated.

    btw, before anyone asks or suggests, no, the configuration cannot be changed to using only the 871 or pix; it must be a solution that uses this setup.

  • #2
    Re: cisco vnp client through an 871 router to a pix 501

    Since there is nat in the path then yes NAT-T will need to be enabled. On recent platforms it is on be default and should be negotiated between the endpoints. May want to check the config guide for the 501 to see if its enabled by default

    Inbound on the 871 you need to allow port udp 500 and protocol 50 (ESP), for nat-t you need to allow udp 4500 in as well.

    This document should help with the config. The config assumes your running 6.3 or later.

    http://www.cisco.com/en/US/products/...801e71c0.shtml
    Last edited by auglan; 29th May 2012, 11:21.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: cisco vnp client through an 871 router to a pix 501

      thank you for your response and help.

      on the 871, do i need to do anything other than the redirection statements? any special ACLs?

      Comment


      • #4
        Re: cisco vnp client through an 871 router to a pix 501

        Just make sure that udp 500 , Protocol 89 (ESP), and udp port 4500 (NAT-T) is open inbound on the router and the pix.

        Also make sure you have your nat exemption ACL's and policy configured on the pix so your data sent over the vpn is not natted.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment

        Working...
        X