Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
5
Helpful
4
Replies

is VPN throw nat possible?

gael.clavadetscher
Level 1
Level 1

‎01-06-2006 07:31 AM - edited ‎02-21-2020 02:11 PM

Hello,

I will have a small pix 501, we have yet a none cisco adsl router.

I was wondering, if I configure vpn-to-vpn (cisco to nortel) from the pix, will it work if I have only one public address on ADSL outside interface?

So will it work if the esp traffic is nated to the outside interface?

Many thanks.

gael

Labels:
0 Helpful
4 Replies 4

jackko
Level 7
Level 7

‎01-06-2006 05:21 PM

www <--> adsl router <--> pix501 <--> inside subnet

re-configure the adsl router from running router-mode to bridge-mode, then configure pppoe on the pix if isp authentication is required.

with this scenario, the public ip will be assigned directly on the pix outside interface, and the router will act as a dump adsl signal "handler". thus, you don't have to worry about the complication of nat, firewall rule etc.

0 Helpful

gael.clavadetscher
Level 1
Level 1
In response to jackko

‎01-07-2006 01:49 AM

Hi and many thanks for your advice,

Another point, in the case I need to keep a DMZ between the adsl and the pix,

inside subnet --- (PIX 501)

---------------------------------- (ADSL) -- INTERNET

DMZ Subnet(private subnet)

Can I still use PPPoe?

The customer has now a cheap zyxel router (should change), do you think it is also possible with it to configure it as a bridge?

Last point... Do you have any configuration example?

Many thanks.

Gael

0 Helpful

jackko
Level 7
Level 7
In response to gael.clavadetscher

‎01-07-2006 06:45 AM

it's not feasible to configure pppoe on the pix with the posted scenario.

the reason being with the pppoe configured on the pix, the router will have no ip address at all and runs as a bridge. the only function of the router is then to translate the dsl signal. without a layer 3 device in front of the dmz, host will not be able to connect to the internet.

i suggest a purchase of cisco router, such as 837/877, replacing the existing adsl router.

www <--> 837/877 <--dmz--> pix <--> inside

837/877 router is capable to handle adsl, firewalling, and vpn. thus the segment between the roter and the pix can be used as a dmz; whereas the pix can be used to secure the inside subnet.

further, the primary advantage of 877 over 837 is the wireless capability.

nonetheless, below are the codes for configuring pppoe on pix:

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname

vpdn group pppoe_group ppp authentication chap

vpdn username password

ip address outside pppoe setroute

gael.clavadetscher
Level 1
Level 1
In response to jackko

‎01-07-2006 07:10 AM

Excellent,

Many thanks.

Gael

0 Helpful
Customers Also Viewed These Support Documents