Unfortunately the bussiness needs constitute the risk
..... however something that I'm confused about. Why do I have to open ports in
to the firewall surely the PIX keeps a connection in its state table that allows
this through. In fact thinking about it I can authenticate to the remote
machine, just not send packets. hmmmm time for tcpdump to see whats going on
:-)
We are
using ESP and IKE. I know that AH does not work with NAT but ESP should have no
problems.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 03 October 2001 05:28
To: Johnston Mark
Cc: [EMAIL PROTECTED]
Subject: Re: Vpn from internal network
Mark,
Your e-mail is a little lite on details so I give you a few generic tips.
1. Your VPN will need UDP port 500 traffic for the ISAKMP key exchange as well as protocol 50 (ESP) traffic for the actual encrypted tunnel.
2. You will need ISAKMP and ESP open both ways through the PIX.
3. You will probably have problems if you are trying to NAT the traffic at the PIX.
4. This is an incredibly BAD idea from a security standpoint. Your user's PC is probably not locked down very well and with this VPN basically bypasses all of your security measures between the PC and the Internet. What I usually do in situations like this is establish a VPN connection from a VPN device in the DMZ to the other firewall and then I can filter the traffic through my firewall.
Regards,
Jeffery Gieser
