Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX IPsec and NAT/PAT

Two questions:

1- Does the lastest PIX code support IPsec passthru. Can I create an IPsec tunnel from a client on the inside interface to a concentrator on the outside (internet). when the PIX NAT/PAT all IP address on the inside network to the outside IP address (assigned by DHCP). Like a linksys or a nexland applicance. If the PIX cannot do it, what is the time frame for feature?

2- when the PIX device act as a VPN concentrator and the client software is the unified version 3.x client. Is is possible to terminate a VPN session on the PIX when the VPN client is behind a NAT/PAT device? Does IPsec over UDP work on the PIX?

Regards

5 REPLIES
New Member

Re: PIX IPsec and NAT/PAT

NAT Transparency mode is currently only available on the concentrators. In your first question, your inside clients CAN use transparency mode THROUGH the PIX to connect to the external Cisco VPN concentrator. For question two, it will be awhile before the PIX supports terminating the tunnel on the PIX in transparency mode. You might see if Cisco has a rough date yet. Last I heard they weren’t sure if they were going to port that feature into the PIX at all.

New Member

Re: PIX IPsec and NAT/PAT

I am a little confused here. Can I set up my PIX to terminate VPN connections using the Unified Cisco VPN client when users are connected via NAT? I need to set up a VPN landing point on my PIX that other clients need to connect to. About 95% of these clients will be coming in through corporate sites and corporate firewalls. Will this not work? It just doesn't sound right. How can I get around this short of buying a VPN Concentrator?

New Member

Re: PIX IPsec and NAT/PAT

Unfortuately, this is correct. I'm suffering from the same thing. The 3000 concentrators are probably what you will need. Can you say "capital expenditure"? Nice product, will work well for what you're trying to do. Kinda wish the PIX would terminate in NAT transparency mode though.

New Member

Re: PIX IPsec and NAT/PAT

I am going through some thing like this right now.

We also had trouble connecting to the PIX from a DSL using the VPN software.

I have the 3000 concentrator, and it works very well for normal DSL and Cable modem access with the VPN software. However, trying to use the 3002 hardware client to connect to the internal network is another story. The 3002 will work in PAT mode all day long. I am having trouble getting it to work in network extension mode.

It will create the tunnel, but will not pass traffic from one site to another.

New Member

Re: PIX IPsec and NAT/PAT

You can configure the PIX to act as a termination endpoint. Depending on the number of clients that will be connecting in via IPSec, PPTP, or L2TP VPN is probably what you should base whether or not to buy a VPN Concentrator though. If you have more than 10 clients connecting in, I would go with the VPN Concentrator because the VPN Concentrator does just that. It's a VPN Concentrator, whereas the PIX can terminate remote client VPN sessions, it is harder to manage and setup than a VPN Concentrator. One issue, as well, that you might consider is that the PIX does not support transparency mode. Which means that you cannot run PAT or NAT Overload on the firewall that the clients will be behind. If the clients are not going to be behind a firewall running PAT then the remote client VPN terminating on the PIX will work fine. In short, go with the VPN Concentrator if you have a lot of remote VPN clients connecting into the network! Easier to manage!

111
Views
0
Helpful
5
Replies
CreatePlease login to create content