Re: PIX Client & WIN2000 Internet sharing [7:58062]
I'm not really sure what 'IPSec passthough' means. I've seen it used by different companies and it means different things. If the PIX is smart enough to detect your IKE going out, and setup the necessary IKE and IPSec translations for the other end of the VPN (for the return traffic), then you don't need the statics. This is how the Linksys DSL/Cable routers work, I beleive. But if it doesn't work, try setting up the statics for IKE and IPSec. What works on the router should work on the PIX, although I don't know for sure if the PIX will let you do the extended translations like the IOS does. Don't have a PIX here to try it on. Chuck Church CCIE #8776, MCNE, MCSE - Original Message - From: "Elijah Savage III" To: "Chuck Church" ; Sent: Monday, November 25, 2002 4:32 PM Subject: RE: PIX Client & WIN2000 Internet sharing [7:58062] Chuck, Please correct me if I am wrong but you are using a router with PAT, and with a router you will need those statics. But on the PIX you do not need to have statics because it supports ipsec passthrough, I have no statics on my PIX at all. -Original Message- From: Chuck Church [mailto:[EMAIL PROTECTED]] Sent: Monday, November 25, 2002 4:03 PM To: [EMAIL PROTECTED] Subject: RE: PIX Client & WIN2000 Internet sharing [7:58062] Guys, IPSec will work with PAT, with some caveats. On the device doing the NAT/PAT, you need a static NAT entry to send IKE and IPSec to the designated inside device. Like this: ip nat inside source list 100 interface Ethernet0/0 overload (Standard PAT statement) ip nat inside source static esp 192.168.0.2 interface Ethernet0/0 (IPSec) ip nat inside source static udp 192.168.0.2 500 interface Ethernet0/0 500 (IKE/ISAKMP) By doing this, inside device 192.168.0.2 can connect to an IPSec VPN, using the 3.x client. I'm doing it right now. Of course, if you've got more than 1 internal needing to dial, you'll need more external addresses. Now whether the M$ ICS can be told to send incoming ISAKMP and IPSec to a certain internal client is another question... Chuck Church CCIE #8776, MCNE, MCSE > > This is correct. IPSec will NOT through PAT. At the moment, Pix does > NOT support "NAT traversal (udp encapsulation)". Therefore, trying to > connect > to a Pix behind a NAT device with vpn dialer will not work. VPN > concentrators, on the other hand will work. Or better yet, throw away > your Pix and put in either a CheckPoint NG Firewall or linux firewall > (iptables). Both CP and Linux > are "stateful" firewalls. If you want to stick with Pix, wait until > version 6.3 where it will support "NAT traversal (UDP encapsulation)". > > Edward Sohn wrote:nope, it won't work...ipsec needs it's own IP > address and not PAT. i've tested this extensively, and it won't > work...if anyone else can comment, please do. > > either way, best thing to do is get a few statics from your ISP and > statically translate... > > ed > > - -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf > Of Derek > Sent: Sunday, November 24, 2002 9:12 AM > To: [EMAIL PROTECTED] > Subject: PIX Client & WIN2000 Internet sharing [7:57988] > > > I have a home network which uses an ADSL line which is shared via > Internet Connection Sharing. I have 3 pc's in the network and they can > all access the internet. From these pc's i am trying to connect to my > office VPN.I Can ping the address but cannot connect via Dialer. The > VPN connection works when Internet Sharing is disabled. Is their > anyway around this ? Do you Yahoo!? Yahoo! Mail Plus - > Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58064&t=58062 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Client & WIN2000 Internet sharing [7:58062]
Chuck, Please correct me if I am wrong but you are using a router with PAT, and with a router you will need those statics. But on the PIX you do not need to have statics because it supports ipsec passthrough, I have no statics on my PIX at all. -Original Message- From: Chuck Church [mailto:[EMAIL PROTECTED]] Sent: Monday, November 25, 2002 4:03 PM To: [EMAIL PROTECTED] Subject: RE: PIX Client & WIN2000 Internet sharing [7:58062] Guys, IPSec will work with PAT, with some caveats. On the device doing the NAT/PAT, you need a static NAT entry to send IKE and IPSec to the designated inside device. Like this: ip nat inside source list 100 interface Ethernet0/0 overload (Standard PAT statement) ip nat inside source static esp 192.168.0.2 interface Ethernet0/0 (IPSec) ip nat inside source static udp 192.168.0.2 500 interface Ethernet0/0 500 (IKE/ISAKMP) By doing this, inside device 192.168.0.2 can connect to an IPSec VPN, using the 3.x client. I'm doing it right now. Of course, if you've got more than 1 internal needing to dial, you'll need more external addresses. Now whether the M$ ICS can be told to send incoming ISAKMP and IPSec to a certain internal client is another question... Chuck Church CCIE #8776, MCNE, MCSE > > This is correct. IPSec will NOT through PAT. At the moment, Pix does > NOT support "NAT traversal (udp encapsulation)". Therefore, trying to > connect > to a Pix behind a NAT device with vpn dialer will not work. VPN > concentrators, on the other hand will work. Or better yet, throw away > your Pix and put in either a CheckPoint NG Firewall or linux firewall > (iptables). Both CP and Linux > are "stateful" firewalls. If you want to stick with Pix, wait until > version 6.3 where it will support "NAT traversal (UDP encapsulation)". > > Edward Sohn wrote:nope, it won't work...ipsec needs it's own IP > address and not PAT. i've tested this extensively, and it won't > work...if anyone else can comment, please do. > > either way, best thing to do is get a few statics from your ISP and > statically translate... > > ed > > - -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf > Of Derek > Sent: Sunday, November 24, 2002 9:12 AM > To: [EMAIL PROTECTED] > Subject: PIX Client & WIN2000 Internet sharing [7:57988] > > > I have a home network which uses an ADSL line which is shared via > Internet Connection Sharing. I have 3 pc's in the network and they can > all access the internet. From these pc's i am trying to connect to my > office VPN.I Can ping the address but cannot connect via Dialer. The > VPN connection works when Internet Sharing is disabled. Is their > anyway around this ? Do you Yahoo!? Yahoo! Mail Plus - > Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58063&t=58062 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Client & WIN2000 Internet sharing [7:58062]
Guys, IPSec will work with PAT, with some caveats. On the device doing the NAT/PAT, you need a static NAT entry to send IKE and IPSec to the designated inside device. Like this: ip nat inside source list 100 interface Ethernet0/0 overload (Standard PAT statement) ip nat inside source static esp 192.168.0.2 interface Ethernet0/0 (IPSec) ip nat inside source static udp 192.168.0.2 500 interface Ethernet0/0 500 (IKE/ISAKMP) By doing this, inside device 192.168.0.2 can connect to an IPSec VPN, using the 3.x client. I'm doing it right now. Of course, if you've got more than 1 internal needing to dial, you'll need more external addresses. Now whether the M$ ICS can be told to send incoming ISAKMP and IPSec to a certain internal client is another question... Chuck Church CCIE #8776, MCNE, MCSE > > This is correct. IPSec will NOT through PAT. At the moment, Pix does > NOT > support "NAT traversal (udp encapsulation)". Therefore, trying to > connect > to a Pix behind a NAT device with vpn dialer will not work. VPN > concentrators, on the other hand will work. Or better yet, throw away > your Pix and put in either a CheckPoint NG Firewall or linux firewall > (iptables). Both CP and Linux > are "stateful" firewalls. If you want to stick with Pix, wait until > version 6.3 where it will support "NAT traversal (UDP encapsulation)". > > Edward Sohn wrote:nope, it won't work...ipsec needs it's own IP > address and not PAT. i've tested this extensively, and it won't > work...if anyone else can comment, please do. > > either way, best thing to do is get a few statics from your ISP and > statically translate... > > ed > > - -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > Derek > Sent: Sunday, November 24, 2002 9:12 AM > To: [EMAIL PROTECTED] > Subject: PIX Client & WIN2000 Internet sharing [7:57988] > > > I have a home network which uses an ADSL line which is shared via > Internet Connection Sharing. I have 3 pc's in the network and they can > all access the internet. From these pc's i am trying to connect to my > office VPN.I Can ping the address but cannot connect via Dialer. The VPN > connection works when Internet Sharing is disabled. Is their anyway > around this ? Do you Yahoo!? Yahoo! Mail Plus - Powerful. > Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58062&t=58062 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]