Firewall Wizards mailing list archives
RE: PIX 515 and Cisco VPN client from inside
From: email lists <lists () darrenmackay com>
Date: Sat, 30 Aug 2003 22:05:17 +1000
Hi,
Im new to the list and apologize if this question being asked before. I read through 2003 archives and couldnt find anything similar. Our company uses a PIX 515 with 3 legs, OUTSIDE, DMZ and INSIDE We have users doing VPN tunnels from their homes with Cisco VPN client 4 and terminating the tunnels at the PIX. This works great. But we cant create tunnels from INSIDE and terminating at other customers endpoints. The tunnels are easily created if we work outside our PIX. The PIX 515 do PAT for all INSIDE connections using outside interface IP. Is there any hooks when doing VPN over PAT with Cisco clients ? regards Marko Kupiainen CIO Microcraft AB
The caveat is that the pix is unable to terminate ipsec and have pass through ipsec at the same time when you are using the pix external interface address (pat). The remote site should be able to configure udp 4500 (if they have a pix) or tcp 10000 (if they have a vpn concentrator, this port can also be changed) encapsulation of the payload. On the remote pix, this is done with: isakmp nat-traversal You also need to enable "transparent tunneling" under the "transport" for the connection definition in the vpn client, otherwise, the payload will be sent using protocol 50 as per normal. Note - it appears that if you have more than 1 cisco vpn client passing through your pix that is terminating on the same endpoint, the pix increments the udp encapsulation port Hope this helps. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: PIX 515 and Cisco VPN client from inside Robert L. Wanamaker (Sep 01)
- <Possible follow-ups>
- RE: PIX 515 and Cisco VPN client from inside Wes Noonan (Sep 01)
- RE: PIX 515 and Cisco VPN client from inside email lists (Sep 01)