RE: PIX 515 and Cisco VPN client from inside

[email lists <lists () darrenmackay com>]

Hi,

> Im new to the list and apologize if this question being asked before. I
> read through 2003 archives and couldnt find anything similar.
>
> Our company uses a PIX 515 with 3 legs, OUTSIDE, DMZ and INSIDE We have
> users doing VPN tunnels from their homes with Cisco VPN client 4 and 
> terminating the tunnels at the PIX. This works great. But we cant 
> create tunnels from INSIDE and terminating at other customers 
> endpoints. The tunnels are easily created if we work outside our PIX. 
> The PIX 515 do PAT for all INSIDE connections using outside interface 
> IP. Is there any hooks when doing VPN over PAT with Cisco clients ?
>
>
> regards
> Marko Kupiainen
> CIO Microcraft AB

The caveat is that the pix is unable to terminate ipsec and have pass
through ipsec at the same time when you are using the pix external
interface address (pat).

The remote site should be able to configure udp 4500 (if they have a
pix) or tcp 10000 (if they have a vpn concentrator, this port can also
be changed) encapsulation of the payload. On the remote pix, this is
done with:

   isakmp nat-traversal

You also need to enable "transparent tunneling" under the "transport"
for the connection definition in the vpn client, otherwise, the payload
will be sent using protocol 50 as per normal.

Note - it appears that if you have more than 1 cisco vpn client passing
through your pix that is terminating on the same endpoint, the pix
increments the udp encapsulation port

Hope this helps.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards