Guys,
IPSec will work with PAT, with some caveats. On the device doing the
NAT/PAT, you need a static NAT entry to send IKE and IPSec to the designated
inside device. Like this:
ip nat inside source list 100 interface Ethernet0/0 overload
(Standard PAT statement)
ip nat inside source static esp 192.168.0.2 interface Ethernet0/0
(IPSec)
ip nat inside source static udp 192.168.0.2 500 interface Ethernet0/0 500
(IKE/ISAKMP)
By doing this, inside device 192.168.0.2 can connect to an IPSec VPN, using
the 3.x client. I'm doing it right now. Of course, if you've got more than
1 internal needing to dial, you'll need more external addresses. Now
whether the M$ ICS can be told to send incoming ISAKMP and IPSec to a
certain internal client is another question...
Chuck Church
CCIE #8776, MCNE, MCSE
>
> This is correct. IPSec will NOT through PAT. At the moment, Pix does
> NOT
> support "NAT traversal (udp encapsulation)". Therefore, trying to
> connect
> to a Pix behind a NAT device with vpn dialer will not work. VPN
> concentrators, on the other hand will work. Or better yet, throw away
> your Pix and put in either a CheckPoint NG Firewall or linux firewall
> (iptables). Both CP and Linux
> are "stateful" firewalls. If you want to stick with Pix, wait until
> version 6.3 where it will support "NAT traversal (UDP encapsulation)".
>
> Edward Sohn wrote:nope, it won't work...ipsec needs it's own IP
> address and not PAT. i've tested this extensively, and it won't
> work...if anyone else can comment, please do.
>
> either way, best thing to do is get a few statics from your ISP and
> statically translate...
>
> ed
>
> - -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Derek
> Sent: Sunday, November 24, 2002 9:12 AM
> To: [EMAIL PROTECTED]
> Subject: PIX Client & WIN2000 Internet sharing [7:57988]
>
>
> I have a home network which uses an ADSL line which is shared via
> Internet Connection Sharing. I have 3 pc's in the network and they can
> all access the internet. From these pc's i am trying to connect to my
> office VPN.I Can ping the address but cannot connect via Dialer. The VPN
> connection works when Internet Sharing is disabled. Is their anyway
> around this ????????? Do you Yahoo!? Yahoo! Mail Plus - Powerful.
> Affordable. Sign up now
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58062&t=58062
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
