Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN 3000 Behind FW-1

We are running a Cisco VPN 3000 behind a FW-1 running NAT. We want to connect PDA devices using the movian client to the VPN concentrator but are recieving bad IP error messages on the PDA. It is possible to establish a VPN using the cisco PC based client thou.

Is therre a recommended configuration for the VPN and FW-1 ruleset to allow this type of connection to be made??



Cisco Employee

Re: VPN 3000 Behind FW-1

You need to use the latest movian client that support ipsec thru nat (udp), then enable the same on both concentrator (thru the group settings, make sure you check the mode config section) and client.

New Member

Re: VPN 3000 Behind FW-1

I've configured the concentrator but cant find any where to configure the movian client. I'm using 2.10 build 98.4c. Am I missing something??

New Member

Re: VPN 3000 Behind FW-1

Perhaps a little off topic, but it may help in your network design.

The Cisco SAFE white papers ( recommend putting the concentrator in front of the FW, not behind it. This allows for traffic filtering after the packets have been decrypted. Other wise, all IPSec traffic will be treated the same.

You could also configure the concentrator in parallel with the FW. This is often the easiest configuration to work with and scales well, but again you would not be able to firewall your VPN clients.

Hope that helps?


CreatePlease to create content