I am installing a PIX for a customer who already has a VPN setup in place. He's got a WIN2K server at his main site, and is building L2TP tunnels over the internet from several remotes. I need to put the PIX between the current VPN server and the remotes. Can I just config it to pass the L2TP traffic (along with the rest of the traffic I want to allow) so that he doesn't have to change his current VPN setup? Or does it make more sense to terminate the VPN tunnels instead on the PIX? Thanks in advance for any input!
> Can I just config it to pass the L2TP traffic (along with the rest of the traffic I want to allow) so that he doesn't have to change his current VPN setup?
Yes. It should work for you.
> Or does it make more sense to terminate the VPN tunnels instead on the PIX?
There is no much benefit terminating L2TP at the pix versus using the existing W2K server, but if you switch to Cisco VPN client (IPSec), then there are some advantages, like dual authentication and split tunnel.
Such a change will require installing VPN client software on the remote machines.
It can be implemented in 4 phases:
1) Install pix, keeping the existing VPN configuration.
2) Configure the pix to accept Cisco VPN remote access clients, with XAUTH.
3) Install Cisco VPN clients and verify connectivity.
4) Instruct users to start using the new client, and block connectivity to the old W2K VPN server.
Please note that the pix by default comes with DES encryption only. If you're going to terminate VPN at the pix, you will probably be interested in upgrading to 3DES/AES . Contatct your Cisco dealer about this.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...