Cool, so the PIX will not support VPN's over PAT !!! So if I had my Main Office PIX, and a VPN Concentrator ..... could I succesfully connect from a remote office via a cable/adsl modem that does PAT using the Cisco VPN software client ???
If so ... and if I had say ... 30 - 40 remote offices, potentially connecting simultaneously .... would a VPN 3000 be overkill ??? or would I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's over PAT), or there other VPN concentrators that would do the job ???? Regards ... Paul ... ----- Original Message ----- From: "Robertson, Douglas" To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] > In most cases the PIX does not support VPN's over PAT you need a static NAT > to establish a VPN tunnel. > Protocol 50 (Encapsulating Security Payload [ESP]) handles the > encrypted/encapsulated packets of IPSec. PAT devices > don't work with ESP since they have been programmed to work only with > Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and > Internet Control Message Protocol (ICMP). In addition, PAT devices are > unable to map multiple security parameter indexes (SPIs). An alternative is > implemented in some devices like the VPN 3000 Concentrator by encapsulating > ESP within UDP and sending it to a negotiated port. > > Doug > > -----Original Message----- > From: ""[EMAIL PROTECTED] [mailto:""[EMAIL PROTECTED]] > Sent: Wednesday, June 26, 2002 11:20 AM > To: [EMAIL PROTECTED] > Subject: RE: Cisco VPN client and NAT [7:47430] > > > Lidiya, > > On the pix when you configure Ipsec you configure a pool of addresses that > your Ipsec clients will use on your own network. For instance your inside > network will have the ip addressing scheme of 192.168.0.0 with a class c > subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C > subnet mask. Therefore when you your clients behind your firewall try to > talk to the 10.0.0.0 network they will hit the firewall and be passed to the > translation from the pool. You cannot have any devices in the middle which > pat (IE a router which pats the ip address of your pix if your pix is > establishing the tunnel) It must be a one to one translation from one end of > the tunnel to the other. Everyone feel free to correct me if I'm wrong > which I'm sure will be the case. > > Jason > > -----Original Message----- > From: Alex Lee [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 26, 2002 3:20 PM > To: [EMAIL PROTECTED] > Subject: Re: Cisco VPN client and NAT [7:47430] > > So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? > Thanks. > > Alex Lee > > ""Lidiya White"" wrote in message > news:[EMAIL PROTECTED]... > > PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. > > It all depends on the device that is between your client and PIX, that > > is doing PAT. > > IPSec uses ESP protocol, that doesn't have ports, so how can you perform > > PAT (port address translation) for a protocol that doesn't understand > > port concept? > > Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). > > So if the router/device that is doing PAT is IPSec aware, then you > > should be able to pass IPSec through. If not, then you have to make sure > > that one-to-one address translation happens for your VPN clients, not > > one-to-many (PAT)... > > Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47520&t=47430 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
