| Author |
anyone know the syntax to allow ipsec traffic to a dmz host via conduit ?
|
|
| darthfeces 2002-04-01, 1:38 pm |
| anyone know the syntax to allow ipsec traffic to a dmz host via conduit ?
basicly we'll be placing the outside interface of a 3030 concentrator in dmz
with a static translation to itself.
would it be ?
conduit permit ahp host x.x.x.x host x.x.x.x
conduit permit esp host x.x.x.x host x.x.x.x
conduit permit udp host x.x.x.x host x.x.x.x eq isakmp | |
|
| you got it.
AH, ESP and UDP 500
sysopt connection permit-ipsec if you want your PIX FW to bypass conduits on IPSEC-connected users. | |
|
| Darth:
I almost forgot. Don't forget to upgrade your concentrator's software to 3.5.2 and the clients to 3.5.1 because the old softwares are buggy.
HTH | |
| darthfeces 2002-04-01, 9:00 pm |
| someone also recommended to me
to use udp 10000 for ipsec/nat | |
|
| UDP 10000 is the recommended port number for IPSEC over UDP transparent tunneling but you can run it on other ports including TCP or even on port 80 (http). |
|
|
|