I bet you were using IPSec over TCP. Then it really doesn't matter what is in the 'middle'. Your Cisco 1605 will see only tcp traffic, not esp. Cisco 1600 is not IPSec aware (and don't have to be in your setup).
-- Lidiya White -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of supernet Sent: Wednesday, June 26, 2002 11:31 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, I didn't try PIX, but I tried a 1605: Main office 3030---Internet---1605---VPN clients. It worked fine. 1605 was configured PAT inside. Does this mean 1650 is IPSec aware? If 1605 is IPSec aware, why PIX isn't? Thanks. Yoshi -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lidiya White Sent: Wednesday, June 26, 2002 7:56 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] See inlines -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sent: Wednesday, June 26, 2002 5:11 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] >> Cool, so the PIX will not support VPN's over PAT !!! If you are talking about passing IPSec through the PIX (not PIX terminating VPN tunnel) then you are correct. PIX has to have a pool of ip addresses for one-to-one NAT for your VPN clients. If you are talking about PIX terminating VPN, then PIX won't even know the difference if the packet went through the PAT/NAT device. >> So if I had my Main Office PIX, and a VPN Concentrator ..... could I >> succesfully connect from a remote office via a cable/adsl modem that does >> PAT using the Cisco VPN software client ??? Are your cable modem IPSec aware (supports IPSec through PAT)? If yes, then you can terminate VPN tunnels on the VPN Concentrator or the PIX. If not, then you can use VPN Concentrator with "IPSec over TCP" option. PIX doesn't support IPSec over TCP for now. PIX only listens on udp port 500. -- Lidiya White >> If so ... and if I had say ... 30 - 40 remote offices, potentially >> connecting simultaneously .... would a VPN 3000 be overkill ??? or would >> I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's >> over PAT), or there other VPN concentrators that would do the job ???? Regards ... Paul ... ----- Original Message ----- From: "Robertson, Douglas" To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] > In most cases the PIX does not support VPN's over PAT you need a static NAT > to establish a VPN tunnel. > Protocol 50 (Encapsulating Security Payload [ESP]) handles the > encrypted/encapsulated packets of IPSec. PAT devices > don't work with ESP since they have been programmed to work only with > Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and > Internet Control Message Protocol (ICMP). In addition, PAT devices are > unable to map multiple security parameter indexes (SPIs). An alternative is > implemented in some devices like the VPN 3000 Concentrator by encapsulating > ESP within UDP and sending it to a negotiated port. > > Doug > > -----Original Message----- > From: ""[EMAIL PROTECTED] [mailto:""[EMAIL PROTECTED]] > Sent: Wednesday, June 26, 2002 11:20 AM > To: [EMAIL PROTECTED] > Subject: RE: Cisco VPN client and NAT [7:47430] > > > Lidiya, > > On the pix when you configure Ipsec you configure a pool of addresses that > your Ipsec clients will use on your own network. For instance your inside > network will have the ip addressing scheme of 192.168.0.0 with a class c > subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C > subnet mask. Therefore when you your clients behind your firewall try to > talk to the 10.0.0.0 network they will hit the firewall and be passed to the > translation from the pool. You cannot have any devices in the middle which > pat (IE a router which pats the ip address of your pix if your pix is > establishing the tunnel) It must be a one to one translation from one end of > the tunnel to the other. Everyone feel free to correct me if I'm wrong > which I'm sure will be the case. > > Jason > > -----Original Message----- > From: Alex Lee [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 26, 2002 3:20 PM > To: [EMAIL PROTECTED] > Subject: Re: Cisco VPN client and NAT [7:47430] > > So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? > Thanks. > > Alex Lee > > ""Lidiya White"" wrote in message > news:[EMAIL PROTECTED]... > > PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. > > It all depends on the device that is between your client and PIX, that > > is doing PAT. > > IPSec uses ESP protocol, that doesn't have ports, so how can you perform > > PAT (port address translation) for a protocol that doesn't understand > > port concept? > > Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). > > So if the router/device that is doing PAT is IPSec aware, then you > > should be able to pass IPSec through. If not, then you have to make sure > > that one-to-one address translation happens for your VPN clients, not > > one-to-many (PAT)... > > Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47542&t=47430 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
