RE: PIX 515 and Cisco VPN client from inside

["Wes Noonan" <mailinglists () wjnconsulting com>]

This is dated information. The latest version of PIXOS has no problem with
IPSEC and NAT/PAT. 

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config
/ipsecint.htm#1057446

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnot
es/pixrn633.htm#65230

HTH

Wes

> In my experiences you don't want to NAT/PAT the VPN traffic.  You do
> this by using the command "nat 0"  There is other commands with it that
> I can't recall but the point is to NAT/PAT all traffic except the VPN
> traffic.
> I had to do this a couple of times in the past.  It seems IPSec had
> problems with the nat traffic.
>
> Here is something from cisco
> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09
> 186a00800b6e1a.shtml
>
> access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
> global (outside) 1 199.199.199.3-199.199.199.62 netmask 255.255.255.192
> nat (inside) 0 access-list 101
> nat (inside) 1 10.0.0.0 255.0.0.0 0 0
>
>
> This configuration will not translate those addresses with a source
> address of 10.0.0.0/8 and a destination address of 192.168.1.0/24. It
> will translate the source address from any traffic initiated from within
> the 10.0.0.0/8 network and destined for anywhere other than
> 192.168.1.0/24 into an address from the range 199.199.199.3 -
> 199.199.199.62.
>
>
>
> Hope this leads you in the right direction
>
> Brian
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards