Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

L2TP thru PIX -- design question

I am installing a PIX for a customer who already has a VPN setup in place. He's got a WIN2K server at his main site, and is building L2TP tunnels over the internet from several remotes. I need to put the PIX between the current VPN server and the remotes. Can I just config it to pass the L2TP traffic (along with the rest of the traffic I want to allow) so that he doesn't have to change his current VPN setup? Or does it make more sense to terminate the VPN tunnels instead on the PIX? Thanks in advance for any input!

1 REPLY
New Member

Re: L2TP thru PIX -- design question

HI.

> Can I just config it to pass the L2TP traffic (along with the rest of the traffic I want to allow) so that he doesn't have to change his current VPN setup?

Yes. It should work for you.

> Or does it make more sense to terminate the VPN tunnels instead on the PIX?

There is no much benefit terminating L2TP at the pix versus using the existing W2K server, but if you switch to Cisco VPN client (IPSec), then there are some advantages, like dual authentication and split tunnel.

Such a change will require installing VPN client software on the remote machines.

It can be implemented in 4 phases:

1) Install pix, keeping the existing VPN configuration.

2) Configure the pix to accept Cisco VPN remote access clients, with XAUTH.

3) Install Cisco VPN clients and verify connectivity.

4) Instruct users to start using the new client, and block connectivity to the old W2K VPN server.

Please note that the pix by default comes with DES encryption only. If you're going to terminate VPN at the pix, you will probably be interested in upgrading to 3DES/AES . Contatct your Cisco dealer about this.

Bye

90
Views
0
Helpful
1
Replies