VPN with Cisco PIX 506E through firewalls - port question

In article , wrote: :Goal: Allow telecommuters at home to VPN into the protected network.

:Internet traffic to our office goes through 2 Sidewinder firewalls :before even hitting our Sidewinder firewall (yes - 3 firewalls). On :our firewall, we have partioned a port for our DMZ and allowed inbound :UDP500 and UDP10000. Upstream, the firewalls have the same rule.

I seem to have missed out on where the PIX is in this sequence?

:My question is do you have to have inbound AND outbound traffic on :those two ports?

:Reason: Using Cisco VPN Client 4.6, we can "connect and authenticate", :but looking at the statistics, we have thousands of bytes sent out but :ZERO bytes received. To me it looks like the upstream firewall is :blocking the handshaking or whatever goes on between a PIX and a :client.

Turn on isakmp nat-traversal on the PIX, then turn off UDP10000, and open up UDP 4500. There is some dynamic port negotiation after that that you might have to allow for on the other firewalls.

Goes like this:

========= = Internet = ========= |-----> Firewall 1 |-------> Firewall 2 |----------> Our Firewall / \ / \ Internal DMZ (with PIX here)

Since we have to go through a long paperwork process for opening a port in Firewall 1 and 2, is there any steadfast rule for VPN communication to a PIX? When you mention "dynamic port negotiation", what port does that translate to (or does it)?

In article , wrote: :Since we have to go through a long paperwork process for opening a port :in Firewall 1 and 2, is there any steadfast rule for VPN communication :to a PIX?

If all the IP address translation from outside to inside is 1-to-1, then you can use:

ESP (IP protocol 50) isakmp (UDP port 500)

If you want to add AH (authentication header) to such a situation, the public IP of the PIX must match the IP as known to the other side, and you would need IP Protocol 51 (AH.)

: When you mention "dynamic port negotiation", what port does :that translate to (or does it)?

If nat-traversal is turned on, which is required to deal with IP translation that is not 1-to-1, and required if you want to get AH through a non-identity IP translation, then UDP 4500 is used after UDP 500, and if NAT is detected then the next UDP port number in sequence in the "dynamic" range (> 1023) is used -- a different port each time. I do not clearly recall the details now, but I think the dynamic port is a -source- port, always used to the fixed port 4500 on the other end. (This process is done independantly for the two directions, so each is sending to 4500.)

Last Question:

When you say "open up" a port, do you mean both incoming and outgoing through the Firewalls? The "powers" above us have very strict procedures and I want to make sure I ask correctly.

Thanks very much for your help!

In article , wrote: :When you say "open up" a port, do you mean both incoming and outgoing :through the Firewalls?

UDP 500 -- needed in both directions. 500 will be the source and destination for this flow -- port 500 to port 500.

UDP 4500 -- if you are using NAT-T, needed in both directions I seem to recall that 4500 is the source and destination port during NAT-T negotiations, but I could be wrong. If NAT-T is activated, then

4500 becomes the destination (outgoing) port for each side, with a {different} dynamic (> 1023) port as the source port for each side. Dynamic source ports is the normal mode of operation of all kinds of TCP/UDP protocols, so this dynamic nature should not require any special configuration.

IP 50 (ESP) -- needed in both directions if NAT-T is off or if NAT-T detects that there is no NAT (no point encapsulating if you don't need to). There is no port number for ESP.