Daniel- I may be clueless to some fancy configuration on PAT, but it is my belief from my experience that you can't do what you're trying to do.
Your Limitations are: 1. The Cayman Router (It only Does PAT itself, and doesn't have the ability to terminate VPNs- I can only PASS Thru the the IPSEC Traffic.) 2. The fact you only have 1 IP address for public use. >From my understanding, with the release of PIX 6.1 code, you can configure "Dynamic NAT" on the PIX so that if you only get one IP address Dynamically, you can use the PIX Outside Interface (not the IP itself) as a nat point between the Public IP and ONE Host on the inside network; this also applies if you only get one Static IP from your ISP. You can't use that one IP to PAT port 80 to one inside network host and port 25 to a different inside network host. To make this work though, you have to replace the Cayman DSL Router with a regular DSL Modem that you connect the DSL Modem's Ethernet Port to the Outside Interface of the PIX- or plug the outside interface and the ethernet interface of the DSL Modem to a "Secure" Hub/Switch, i.e., nothing else plugs into that hub/switch too. If you want to support NATing to multiple hosts on the Inside Network, you are going to have to get more Static IPs assigned to you by the ISP. Now of course, I'f I'm way off base, somebody else will correct me, I'm sure :) HTHs -Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Ma Sent: Wednesday, April 10, 2002 3:35 PM To: [EMAIL PROTECTED] Subject: configure VPN on PIX which behind PAT router [7:41090] I am configuring a PIX firewall behind a Cayman DSL router. The whole network only has one public IP address which is on the DSL interface. I need to configure the PIX firewall for the remote VPN clients. My solution is to encapsulate all IPSEC traffic with TCP 10000, or UDP 10000, so the Cayman router could be configured Pinhole the port 10000 to the PIX outside interface. But I could not find documents on how to configure it. It will be greatly appreciated if anyone could help me out, or probably you have better solutions. Thanks, Daniel Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41104&t=41090 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
