RE: Clients cant access pix w/ vpn from behind nat devices using the newest cisco client.

["Melson, Paul" <PMelson () sequoianet com>]

Part of the issue is that the NAT device is changing the source ports on
the VPN client, which causes problems for the PIX unless `isakmp
nat-traversal` (which, as you said, is available in PIX OS 6.3) is set
in the config.  Depending on the NAT device, you may be able to
statically map the source port based on the destination port and/or
address.  In some D-Link, Linksys, and probably other SOHO products,
there is a feature called "IPSec Passthrough" that can be enabled.  On a
Linux or *BSD type firewall, you can do this manually.  With pf, you
want to use 'static-port'.  Here is the nat rule from pf.conf on my
OpenBSD firewall.  The interface and network macros are defined
elsewhere in the config, but you get the idea.

nat on $ext_if from 10.0.0.247/32 to $vpn_nets -> ($ext_if) static-port

PaulM


-----Original Message-----
I am having some problems connecting to a pix firewall vpn connection
using
the cisco client when the clients are behind a nat device to the
internet.
Is there a way to let them connect without giving them a routable ip
address
or modifying there routers at all?  Have any of you ever had to get past
this problem?  Is it possible to get past this problem?  I am new to pix
but
I have done some research.  It seems that we need version 6.3 of the OS
and
that possibly doing nat traversal would help.  All this is configured
though.  Any help would be great.  Thanks a lot.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards