Firewall Wizards mailing list archives
RE: PIX 515 and Cisco VPN client from inside
From: "Wes Noonan" <mailinglists () wjnconsulting com>
Date: Fri, 29 Aug 2003 18:58:43 -0500
This is dated information. The latest version of PIXOS has no problem with IPSEC and NAT/PAT. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config /ipsecint.htm#1057446 http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnot es/pixrn633.htm#65230 HTH Wes
In my experiences you don't want to NAT/PAT the VPN traffic. You do this by using the command "nat 0" There is other commands with it that I can't recall but the point is to NAT/PAT all traffic except the VPN traffic. I had to do this a couple of times in the past. It seems IPSec had problems with the nat traffic. Here is something from cisco http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09 186a00800b6e1a.shtml access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 global (outside) 1 199.199.199.3-199.199.199.62 netmask 255.255.255.192 nat (inside) 0 access-list 101 nat (inside) 1 10.0.0.0 255.0.0.0 0 0 This configuration will not translate those addresses with a source address of 10.0.0.0/8 and a destination address of 192.168.1.0/24. It will translate the source address from any traffic initiated from within the 10.0.0.0/8 network and destined for anywhere other than 192.168.1.0/24 into an address from the range 199.199.199.3 - 199.199.199.62. Hope this leads you in the right direction Brian _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: PIX 515 and Cisco VPN client from inside Robert L. Wanamaker (Sep 01)
- <Possible follow-ups>
- RE: PIX 515 and Cisco VPN client from inside Wes Noonan (Sep 01)
- RE: PIX 515 and Cisco VPN client from inside email lists (Sep 01)