1- Does the lastest PIX code support IPsec passthru. Can I create an IPsec tunnel from a client on the inside interface to a concentrator on the outside (internet). when the PIX NAT/PAT all IP address on the inside network to the outside IP address (assigned by DHCP). Like a linksys or a nexland applicance. If the PIX cannot do it, what is the time frame for feature?
2- when the PIX device act as a VPN concentrator and the client software is the unified version 3.x client. Is is possible to terminate a VPN session on the PIX when the VPN client is behind a NAT/PAT device? Does IPsec over UDP work on the PIX?
NAT Transparency mode is currently only available on the concentrators. In your first question, your inside clients CAN use transparency mode THROUGH the PIX to connect to the external Cisco VPN concentrator. For question two, it will be awhile before the PIX supports terminating the tunnel on the PIX in transparency mode. You might see if Cisco has a rough date yet. Last I heard they werent sure if they were going to port that feature into the PIX at all.
I am a little confused here. Can I set up my PIX to terminate VPN connections using the Unified Cisco VPN client when users are connected via NAT? I need to set up a VPN landing point on my PIX that other clients need to connect to. About 95% of these clients will be coming in through corporate sites and corporate firewalls. Will this not work? It just doesn't sound right. How can I get around this short of buying a VPN Concentrator?
Unfortuately, this is correct. I'm suffering from the same thing. The 3000 concentrators are probably what you will need. Can you say "capital expenditure"? Nice product, will work well for what you're trying to do. Kinda wish the PIX would terminate in NAT transparency mode though.
I am going through some thing like this right now.
We also had trouble connecting to the PIX from a DSL using the VPN software.
I have the 3000 concentrator, and it works very well for normal DSL and Cable modem access with the VPN software. However, trying to use the 3002 hardware client to connect to the internal network is another story. The 3002 will work in PAT mode all day long. I am having trouble getting it to work in network extension mode.
It will create the tunnel, but will not pass traffic from one site to another.
You can configure the PIX to act as a termination endpoint. Depending on the number of clients that will be connecting in via IPSec, PPTP, or L2TP VPN is probably what you should base whether or not to buy a VPN Concentrator though. If you have more than 10 clients connecting in, I would go with the VPN Concentrator because the VPN Concentrator does just that. It's a VPN Concentrator, whereas the PIX can terminate remote client VPN sessions, it is harder to manage and setup than a VPN Concentrator. One issue, as well, that you might consider is that the PIX does not support transparency mode. Which means that you cannot run PAT or NAT Overload on the firewall that the clients will be behind. If the clients are not going to be behind a firewall running PAT then the remote client VPN terminating on the PIX will work fine. In short, go with the VPN Concentrator if you have a lot of remote VPN clients connecting into the network! Easier to manage!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :