Allowing private network inbound
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
Allowing private network inbound

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco
Author Message
Easynews
Guest
Posted: Sun Dec 11, 2005 9:17 am    Post subject: Allowing private network inbound Reply with quote
I've got a situation where I've got a Qwest PRN (Private VPN) network with
several sites with addresses 192.168.0.1, 192.168.1.0 and 192.168.2.0.
Currently we have a managed firewall solution provided by Qwest but need to
replace this with a Cisco Pix for a couple of different reasons. Qwest can
turn off NAT and open all ports on their firewall. My issue is that I've
always dealt with Pix firewalls when the WAN is on the inside of the Pix. In
this scenario, the two other locations will be on the outside of the Pix.
How do I allow for this WAN traffic? Do I simply allow all ports for network
192.168.1.0 and 192.168.2.0 in an access list on the Pix?

Thanks for any help,
Max
Back to top
Walter Roberson
Guest
Posted: Sun Dec 11, 2005 9:17 am    Post subject: Re: Allowing private network inbound Reply with quote
In article <USMmf.296832$vs2.211115@fe04.news.easynews.com>,
Easynews <max@max.com> wrote:
Quote:
I've got a situation where I've got a Qwest PRN (Private VPN) network with
several sites with addresses 192.168.0.1, 192.168.1.0 and 192.168.2.0.
Currently we have a managed firewall solution provided by Qwest but need to
replace this with a Cisco Pix for a couple of different reasons. Qwest can
turn off NAT and open all ports on their firewall. My issue is that I've
always dealt with Pix firewalls when the WAN is on the inside of the Pix. In
this scenario, the two other locations will be on the outside of the Pix.
How do I allow for this WAN traffic? Do I simply allow all ports for network
192.168.1.0 and 192.168.2.0 in an access list on the Pix?

If you are using PIX 6.x, you have two choices:

(1) sysopt connection permit-ipsec

This will permit all ipsec traffic (that authenticated properly!)
to access any inside host, with no access checking.

(2) configure your outside access list (and your inside one, if
you have one) to explicitly permit the flows from 192.168.1.0
and 192.168.2.0 that you want to allow.
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Cisco All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB