Re: [Leaf-user] VPN pre-install question

Thu, 14 Jun 2001 14:21:21 -0700 

As Michael says,  when using Cisco's VPN client at least, the PIX assigns (from a pool 
configured on it) an IP address to the remote
client.  I use 172.17 addresses, but you can use anything.  You then need to allow 
that range through the PIX to your protected
network.  Cisco has some good docs on their site on how to do this if you're 
unfamiliar with the ipsec commands.  Takes a total of
about 10 commands on the pix to allow ipsec connections. Much easier than I thought.

Are you planning on connecting to the PIX from an LRP box, or through an LRP box? (Or 
neither)  I have no experience attaching
FreeS/WAN to a PIX, but I doubt that a dynamic address would work well.  Tunnelling 
through an LRP box, however, is a piece of cake,
and handles dynamic addressing and NAT quite handily.

Cisco docs for VPN Client configs:
http://www.cisco.com/warp/public/110/pptpcrypto3.html

Jonathan Rawson

-----Original Message-----
From: Michael Leone <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, June 14, 2001 2:34 PM
Subject: Re: [Leaf-user] VPN pre-install question


>> One of my clients has just bought a Cisco PIX firewall and I will be
>> attempting to set up a VPN connection to them. Do you know if the PIX
>> firewall can accept an IPSEC connection from a dynamic IP address.
>> I have read that FreeSWAN can, I know that Checkpoint and W2K can't.
>> I don't want to spend too much time attempting the impossible.
>
>I can tell you that, when I was testing my PIX, we dialed a laptop into a
>local ISP (and got a dynamic IP), and used the Cisco IPSec software to
>connect to our Pix with no problem.
>
>When you configure the Pix, you will have (probably) an RFC 1918 address on
>the internal interface (i.e., 192.168.1.x). You would then also assign a
>DIFFERENT RFC 1918 address to the incoming IPSec connection (we used
>172.16.x.x); the incoming IPSec is then assigned this 2nd address. The Pix
>will automatically route between them.
>
>
>
>
>_______________________________________________
>Leaf-user mailing list
>[EMAIL PROTECTED]
>http://lists.sourceforge.net/lists/listinfo/leaf-user



_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to