Firewall Wizards mailing list archives

Re: pix 515 vpn client using PAT

From: Eric Vyncke <evyncke () cisco com>
Date: Tue, 17 Jul 2001 11:41:16 -0700

AFAIK, the PIX 6.0 does not support IPSec in NAT mode (actually a UDPencapsulation of IPSec & IKE packets). The Cisco IPSec VPN3000 client doessupport IPSec in NAT mode as well as the VPN3000 concentrators.

You should try to tweak your NAT box to always forward UDP/500 + ESP to theIPSec client behind it.


Regards

-eric

At 15:35 10/07/2001 +0100, Daniel Handley wrote:

i have upgraded my pix 515 to version 6.01 in the hope of using vpn client 3
from multiple platforms.
i have succeeded so far in that it works from an open connection but not
from behind a PAT router (W2K server running nat from home with a cable
modem).
the current config for the vpn client is below.
i also have four other sites connected, some fully meshed the others hub and
spoke. i use the access list for these in the config.
is there something missing that will enable the use of PAT to the pix. i
have enabled the client but it times out.
dan

crypto ipsec transform-set hpvpn esp-des esp-md5-hmac
crypto dynamic-map dynvpn 50 set transform-set hpvpn

crypto map map2 50 ipsec-isakmp dynamic dynvpn

isakmp client configuration address-pool local ippool outside

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1000

vpngroup test address-pool ippool
vpngroup test dns-server 10.200.100.200
vpngroup test wins-server 10.200.100.200
vpngroup test split-tunnel 100
vpngroup test idle-time 1800
vpngroup test password ********


Daniel Handley
Infrastructure Manager, HomePage Ltd
Tel: 020 8880 4570 Fax: 020 8880 4328
mailto:daniel () homepage net http://www.homepage.net

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

pix 515 vpn client using PAT Daniel Handley (Jul 11)
- Re: pix 515 vpn client using PAT Eric Vyncke (Jul 17)
- <Possible follow-ups>
- Re: pix 515 vpn client using PAT Scott C. Best (Jul 18)