Thanks Mike. You are 100% correct when you describe my limitations. Well, I am doing something " Mission Impossible". I have setup the PIX firewall without NAT. It's the Cayman Router who did the PAT. And I did Pinhole on Cayman router to the mail server which behind the firewall. Everything works fine, except the VPN, I want to have some ideas first before I try to configure it. I know that on Cisco VPN Client, we can configure the IPsec over UDP or TCP. I wonder if there is additional configuration on the PIX firewall as well to support the UDP or TCP port 10000. Because the VPN connection is always initialized by the client, if client use the IPSec over UDP or TCP, in theory I could configure the Cayman router to Pinhole port 10000 to PIX ip address.
Please correct me if I am wrong. Daniel ""Mark Odette II"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Daniel- I may be clueless to some fancy configuration on PAT, but it is my > belief from my experience that you can't do what you're trying to do. > > Your Limitations are: > 1. The Cayman Router (It only Does PAT itself, and doesn't have the ability > to terminate VPNs- I can only PASS Thru the the IPSEC Traffic.) > 2. The fact you only have 1 IP address for public use. > > From my understanding, with the release of PIX 6.1 code, you can configure > "Dynamic NAT" on the PIX so that if you only get one IP address Dynamically, > you can use the PIX Outside Interface (not the IP itself) as a nat point > between the Public IP and ONE Host on the inside network; this also applies > if you only get one Static IP from your ISP. You can't use that one IP to > PAT port 80 to one inside network host and port 25 to a different inside > network host. To make this work though, you have to replace the Cayman DSL > Router with a regular DSL Modem that you connect the DSL Modem's Ethernet > Port to the Outside Interface of the PIX- or plug the outside interface and > the ethernet interface of the DSL Modem to a "Secure" Hub/Switch, i.e., > nothing else plugs into that hub/switch too. > > If you want to support NATing to multiple hosts on the Inside Network, you > are going to have to get more Static IPs assigned to you by the ISP. > > > Now of course, I'f I'm way off base, somebody else will correct me, I'm sure > :) > > HTHs > -Mark > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Daniel Ma > Sent: Wednesday, April 10, 2002 3:35 PM > To: [EMAIL PROTECTED] > Subject: configure VPN on PIX which behind PAT router [7:41090] > > > I am configuring a PIX firewall behind a Cayman DSL router. The whole > network only has one public IP address which is on the DSL interface. I need > to configure the PIX firewall for the remote VPN clients. > My solution is to encapsulate all IPSEC traffic with TCP 10000, or UDP > 10000, so the Cayman router could be configured Pinhole the port 10000 to > the PIX outside interface. But I could not find documents on how to > configure it. > It will be greatly appreciated if anyone could help me out, or probably you > have better solutions. > > Thanks, > > Daniel Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41133&t=41090 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]