Cisco Newbie

pts.
Tags:
Cisco
Networking
Routers
Hello, I have a Cisco 1721 as my Internet router. It is configured with access-lists to pre-filter Internet traffic,and NAT. I need to setup MUPVN on a Firebox Soho6tc, but need to first allow the traffic through the Cisco router. What protocols and ports need to be open on the Cisco router to connect to the Firebox? Is this possible without turning NAT off on the Cisco router? Thank you very much.
Asked: Last updated:
Related Questions
1

Answer Wiki

Thanks. We'll let you know when a new response is added.

I don’t know much about this firebox device but it looks like a small internet firewall.
If you weren’t NATing with your router your setup would resemble what I built for our college. The outer openbsd firewall screens the DMZ and allows VPNs to the PIX behind the DMZ. I had to open all UDP ports and ESP for standard and encapsulated VPNs to get through. The clients get IP addresses on the network behind the PIX.
NAT on your router is a significant problem unless your VPN solution encapsulates the packets within UDP or TCP. Without encapsulation, NAT anywhere between the client and VPN server will break your VPNs. On our PIX TCP encapsulation didn’t work so I had to use UDP. That is why I opened all UDP ports. Since we don’t NAT in our college, the reason we do encapsulation is to accomodate home users who have NAT on their internet connection.
If you had a “normal setup” you would have to allow ESP and ISAKMP as a minimum.
How big is your network? Could you substitute your firewall for the 1721? In some ways the ideal place for a VPN server is where the NAT occurs.
rt

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • BrantWellsTFC
    Hey Manthax: You will have to create an Accss List that is something along the lines of... access-list permit gre any host your.vpn.ip.addy ie: access-list permit gre any host 192.168.0.3 If your router complains about not knowing what GRE is, then try something like... access-list permit 47 any host 192.168.0.3 (47 is the PROTOCOL NUMBER for GRE, and not a port number!)
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: