10-16-2006 02:25 AM - edited 02-21-2020 02:40 PM
dear all,
i'm planing for a new office setup.where i will use ADSL router and i will connect the fast ethernet port to pix outside interface
inside will connect to my switch where 40 people are sitting.
and these 40 guys want to use vpn client software. so is it possible to pass this traffic, if i use "nat0" my inside network will go outside without any prob ?
is it a good solution?
initialy i was planing for vpn hardware client but bcoz of some reason the H.O people will not allow this.
please post ur views, all posts will be appreciated.
Regds
BInoy
10-16-2006 04:06 AM
Hi .. I guess they are trying to make sure any communication to head office is fully protected from internal and external sources. Internal because the system where the VPN client is installed will encrypt and decrypt the traffic to/from the head office. No PC within the LAN will be able to read other PC's data using sniffer or some other tool because the data is encrypted.
From external because as with any vpn the data will be protected as it travels over the Internet.
The cisco VPN client supports NAT Transparency which is enabled by default. It can use udp 4500( default ) or tcp 10000 to encapsulate IPsec packet on layer 4 header. The PIX then would be able to perform a PAT to send those udp packets out. I have not done this myself but you could try allowing port UDP 4500 and 500 on your PIX ..
for Inbound traffic
access-list Outside-In extended permit udp host x.x.x.x host y.y.y.y eq 4500
access-list Outside-In extended permit udp host x.x.x.x host y.y.y.y eq 500
access-grooup Outside-In in interface outside
For outbound Traffic
access-list Inside-Out extended permit udp any host x.x.x.x eq 4500
access-list Inside-Out extended permit udp any host x.x.x.x eq 500
nat (inside) 10 access-list Inside-Out
global (outside) 10 y.y.y.y
where: x.x.x.x is the IP address of the VPN end point at the head office which needs to have NAT traversal enabled. And y.y.y.y is the public address been used for PAT as the packets leave the remote office. It could be the outside interface of the firewall in whihc case you would use the 'interface' keyword.
This assumes that the firewall has a public address and the ADSL router is not blocking the above ports.
I suggest testing it on a lab if you can. i am interested to see the results.
Of course it will be so much easier to just create a LAN to LAN tunnel using the PIX as the head end.
I hope it helps .. please rate it if it does.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide