Configuring The Firewall For A Vpn In A Dmz - Siemens RX1500 User Manual

Chapter 5
Setup and Configuration
NOTE
The VPN host must be specified before the network host so the more specific VPN zone subnet
can be inspected first.
Table: Example
Host
vpn
net
10. Configure rules with the following parameter settings for the UDP, Authentication Header (AH) and
Encapsulation Security Payload (ESP) protocols:
NOTE
The IPsec protocol operates on UDP port 500, using protocols Authentication Header (AH) and
Encapsulation Security Payload (ESP) protocols. The firewall must be configured to accept this
traffic in order to allow the IPsec protocol.
Table: Example
Action
Accept
Accept
Accept
For more information about configuring rules, refer to
11. Configure the following rule to allow traffic from openswan, the IPsec daemon, to enter the firewall:
NOTE
IPsec traffic arriving at the firewall is directed to openswan, the IPsec daemon. Openswan
decrypts the traffic and then forwards it back to the firewall on the same interface that originally
received it. A rule is required to allow traffic to enter the firewall from this interface.
Table: Example
Action
Accept
For more information about configuring rules, refer to
Section 5.17.7

Configuring the Firewall for a VPN in a DMZ

When the firewall needs to pass VPN traffic through to another device, such as a VPN device in a Demilitarized
Zone (DMZ), then a DMZ zone and special rules are required.
To configure the firewall for a VPN in a DMZ, do the following:
Click Tools on the toolbar followed by CLI. The CLI terminal window appears.
1.
374
Interface
W1ppp
W1ppp
Source-Zone Destination-Zone
net fw
net fw
net fw
Source-Zone Destination-Zone
vpn loc
Subnet
192.168.1.0/24
0.0.0.0/0
Protocol
ah
esp
udp
Section 5.17.14, "Managing
Protocol
—
Section 5.17.14, "Managing
Configuring the Firewall for a VPN in a DMZ
RUGGEDCOM ROX II
User Guide
IPsec Zone
Yes
No
Dest-Port
—
—
500
Rules".
Dest-Port
—
Rules".