In most cases, no - that is not possible. But if you are terminating IPSec tunnel at the device that supports NAT transparency, then yes, you'll be able to pass IPSec through PAT.
The issue here is that IPSec uses protocol ESP, that doesn't have ports. So how can you use PAT (port address translation) for a protocol that doesn't have ports? Let's say Cisco VPN Concentrators has a feature like IPSec over UPD or TCP. What is does is encapsulates esp in udp or tcp. So the answer to your question depends on can your VPN client and VPN device support IPSec over tcp or udp? -- Lidiya White -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Edward Sohn Sent: Monday, May 27, 2002 9:56 PM To: [EMAIL PROTECTED] Subject: PIX passing IPSEC traffic? [7:45197] Hello, all... I have a PIX501 set up for PAT on one ip address through my cable modem. I have a client on my internal network that needs to connect to a corporate extranet via IPSEC, using it's own client software (Nortel). In other words, there is no network-to-network or cisco-to-cisco IPSEC connections. The PIX simply passes the traffic. The problem is that I cannot get the client to connect through the PIX. I believe it's because the client needs its own statically translated address on the PIX (because when I use my only ip address, I can make it connect). However, the challenge here is to make it so that I can make this VPN client work through the PIX while still using PAT. This way, it doesn't hose all my other computers on the inside. Is this possible? I was thinking of a port address mapping statement, but I wouldn't know which ports to use. Anyone have any experience with this? Thanks, Eddie Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45391&t=45197 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
