Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
4
Helpful
1
Replies

vpn client soft users behind pix 506

binoyjosephstanly
Level 1
Level 1

‎10-16-2006 02:25 AM - edited ‎02-21-2020 02:40 PM

dear all,

i'm planing for a new office setup.where i will use ADSL router and i will connect the fast ethernet port to pix outside interface

inside will connect to my switch where 40 people are sitting.

and these 40 guys want to use vpn client software. so is it possible to pass this traffic, if i use "nat0" my inside network will go outside without any prob ?

is it a good solution?

initialy i was planing for vpn hardware client but bcoz of some reason the H.O people will not allow this.

please post ur views, all posts will be appreciated.

Regds

BInoy

Labels:
0 Helpful
1 Reply 1

Fernando_Meza
Level 7
Level 7

‎10-16-2006 04:06 AM

Hi .. I guess they are trying to make sure any communication to head office is fully protected from internal and external sources. Internal because the system where the VPN client is installed will encrypt and decrypt the traffic to/from the head office. No PC within the LAN will be able to read other PC's data using sniffer or some other tool because the data is encrypted.

From external because as with any vpn the data will be protected as it travels over the Internet.

The cisco VPN client supports NAT Transparency which is enabled by default. It can use udp 4500( default ) or tcp 10000 to encapsulate IPsec packet on layer 4 header. The PIX then would be able to perform a PAT to send those udp packets out. I have not done this myself but you could try allowing port UDP 4500 and 500 on your PIX ..

for Inbound traffic

access-list Outside-In extended permit udp host x.x.x.x host y.y.y.y eq 4500

access-list Outside-In extended permit udp host x.x.x.x host y.y.y.y eq 500

access-grooup Outside-In in interface outside

For outbound Traffic

access-list Inside-Out extended permit udp any host x.x.x.x eq 4500

access-list Inside-Out extended permit udp any host x.x.x.x eq 500

nat (inside) 10 access-list Inside-Out

global (outside) 10 y.y.y.y

where: x.x.x.x is the IP address of the VPN end point at the head office which needs to have NAT traversal enabled. And y.y.y.y is the public address been used for PAT as the packets leave the remote office. It could be the outside interface of the firewall in whihc case you would use the 'interface' keyword.

This assumes that the firewall has a public address and the ADSL router is not blocking the above ports.

I suggest testing it on a lab if you can. i am interested to see the results.

Of course it will be so much easier to just create a LAN to LAN tunnel using the PIX as the head end.

I hope it helps .. please rate it if it does.

Customers Also Viewed These Support Documents