Re: firewall-wizards Digest, Vol 40, Issue 6
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
|
|
|
Re: firewall-wizards Digest, Vol 40, Issue 6
by Dan Ritter-2
::
Rate this Message:
On Fri, Aug 21, 2009 at 11:27:48AM -0500, jamesworld@... wrote:
> Yes, this is easy. > > You need an extra an extra address on the outside to create a static nat > for. > Then you need to allow the traffic to that IP address (udp/500, > udp/4500, ESP) by way of an access-list. > > It would look something like below. > 192.0.0.20 is an example outside address > 10.5.5.5 is an example inside address (vpn terminating device) > inside is assumed. It could be any other interface (for the static command) > > Configuration > -------------------- > static (inside,outside) 192.0.0.20 10.5.5.5 netmask 255.255.255.255 > access-list acl-outside-in permit udp any host 192.0.0.20 eq 500 > access-list acl-outside-in permit udp any host 192.0.0.20 eq 4500 > access-list acl-outside-in permit esp any host 192.0.0.20 > access-group acl-outside-in in interface outside Thanks, that looks plausible. I was half-expecting the PIX to not want to permit esp to any host other than itself. -dsr- _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
| Free embeddable forum powered by Nabble | Forum Help |
