Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn client soft users behind pix 506

dear all,

i'm planing for a new office setup.where i will use ADSL router and i will connect the fast ethernet port to pix outside interface

inside will connect to my switch where 40 people are sitting.

and these 40 guys want to use vpn client software. so is it possible to pass this traffic, if i use "nat0" my inside network will go outside without any prob ?

is it a good solution?

initialy i was planing for vpn hardware client but bcoz of some reason the H.O people will not allow this.

please post ur views, all posts will be appreciated.




Re: vpn client soft users behind pix 506

Hi .. I guess they are trying to make sure any communication to head office is fully protected from internal and external sources. Internal because the system where the VPN client is installed will encrypt and decrypt the traffic to/from the head office. No PC within the LAN will be able to read other PC's data using sniffer or some other tool because the data is encrypted.

From external because as with any vpn the data will be protected as it travels over the Internet.

The cisco VPN client supports NAT Transparency which is enabled by default. It can use udp 4500( default ) or tcp 10000 to encapsulate IPsec packet on layer 4 header. The PIX then would be able to perform a PAT to send those udp packets out. I have not done this myself but you could try allowing port UDP 4500 and 500 on your PIX ..

for Inbound traffic

access-list Outside-In extended permit udp host x.x.x.x host y.y.y.y eq 4500

access-list Outside-In extended permit udp host x.x.x.x host y.y.y.y eq 500

access-grooup Outside-In in interface outside

For outbound Traffic

access-list Inside-Out extended permit udp any host x.x.x.x eq 4500

access-list Inside-Out extended permit udp any host x.x.x.x eq 500

nat (inside) 10 access-list Inside-Out

global (outside) 10 y.y.y.y

where: x.x.x.x is the IP address of the VPN end point at the head office which needs to have NAT traversal enabled. And y.y.y.y is the public address been used for PAT as the packets leave the remote office. It could be the outside interface of the firewall in whihc case you would use the 'interface' keyword.

This assumes that the firewall has a public address and the ADSL router is not blocking the above ports.

I suggest testing it on a lab if you can. i am interested to see the results.

Of course it will be so much easier to just create a LAN to LAN tunnel using the PIX as the head end.

I hope it helps .. please rate it if it does.