You could, if the PIX supported NAT transparency for IPSec like the VPN 3000 does. Unfortunately, this feature is not yet available. My SE tells me its on the road map for inclusion sometime this year, but there are no firm dates yet.
Your other option would be to get rid of the cayman router, but you probably would need PPPoE support on the PIX for your DSL connection, which according to the 6.1.3 release notes is also not an option yet. (if you don't need PPPoE, I'd get rid of the Cayman right now) Otherwise, you'll have to wait for PPPoE support in the PIX, which should be in the next major release. The only option I see for you without using different hardware is to use PPTP as an interim solution. You'll need to allow certain ports and protocols through the Cayman. Here's a link that shows what you need, it's for the PIX but you can adapt it for the Cayman: http://www.cisco.com/warp/public/110/pix_pptp.html Then you'll need to configure the PIX to support PPTP: http://www.cisco.com/warp/public/110/pptppix.html Keep in mind that PPTP is not as secure as IPSec. Some of the problems with PPTP were addressed by MS with MSCHAP-2, but there are still issues. I would only use this as a short term solution. You can read about the problems with PPTP here: http://www.counterpane.com/pptpv2-paper.html HTH, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Xuhui martin1 Sent: Wednesday, April 10, 2002 6:34 PM To: [EMAIL PROTECTED] Subject: Re: configure VPN on PIX which behind PAT router [7:41090] Thanks Mike. You are 100% correct when you describe my limitations. Well, I am doing something " Mission Impossible". I have setup the PIX firewall without NAT. It's the Cayman Router who did the PAT. And I did Pinhole on Cayman router to the mail server which behind the firewall. Everything works fine, except the VPN, I want to have some ideas first before I try to configure it. I know that on Cisco VPN Client, we can configure the IPsec over UDP or TCP. I wonder if there is additional configuration on the PIX firewall as well to support the UDP or TCP port 10000. Because the VPN connection is always initialized by the client, if client use the IPSec over UDP or TCP, in theory I could configure the Cayman router to Pinhole port 10000 to PIX ip address. Please correct me if I am wrong. Daniel ""Mark Odette II"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Daniel- I may be clueless to some fancy configuration on PAT, but it is my > belief from my experience that you can't do what you're trying to do. > > Your Limitations are: > 1. The Cayman Router (It only Does PAT itself, and doesn't have the ability > to terminate VPNs- I can only PASS Thru the the IPSEC Traffic.) > 2. The fact you only have 1 IP address for public use. > > From my understanding, with the release of PIX 6.1 code, you can configure > "Dynamic NAT" on the PIX so that if you only get one IP address Dynamically, > you can use the PIX Outside Interface (not the IP itself) as a nat point > between the Public IP and ONE Host on the inside network; this also applies > if you only get one Static IP from your ISP. You can't use that one IP to > PAT port 80 to one inside network host and port 25 to a different inside > network host. To make this work though, you have to replace the Cayman DSL > Router with a regular DSL Modem that you connect the DSL Modem's Ethernet > Port to the Outside Interface of the PIX- or plug the outside interface and > the ethernet interface of the DSL Modem to a "Secure" Hub/Switch, i.e., > nothing else plugs into that hub/switch too. > > If you want to support NATing to multiple hosts on the Inside Network, you > are going to have to get more Static IPs assigned to you by the ISP. > > > Now of course, I'f I'm way off base, somebody else will correct me, I'm sure > :) > > HTHs > -Mark > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Daniel Ma > Sent: Wednesday, April 10, 2002 3:35 PM > To: [EMAIL PROTECTED] > Subject: configure VPN on PIX which behind PAT router [7:41090] > > > I am configuring a PIX firewall behind a Cayman DSL router. The whole > network only has one public IP address which is on the DSL interface. I need > to configure the PIX firewall for the remote VPN clients. > My solution is to encapsulate all IPSEC traffic with TCP 10000, or UDP > 10000, so the Cayman router could be configured Pinhole the port 10000 to > the PIX outside interface. But I could not find documents on how to > configure it. > It will be greatly appreciated if anyone could help me out, or probably you > have better solutions. > > Thanks, > > Daniel Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41191&t=41090 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
