Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client through firewall to Cisco Pix

Hi All

I am installing adsl in the home and need to create a vpn between cisco vpn client software on a winxp client and a pix firewall in our offices. I will be using a cheap firewall at home to protect my home pc's from the internet. This will have an adsl connection and will be doing PAT as I only have one public address.

Can I create a vpn between the cisco vpn client and the pix firewall through my adsl router which will be running PAT. From what I have understood from a lot of the posts that I have read is that a problem arises when more than two people create a vpn to the same pix when using pat on the local fw/router. This shouldnt apply to me as I will only ever require one vpn tunnel at anyone time between my home and work.

Could anyone please clarify if this will work ok, any advice here much appreciated as I have no experience in this field.

Regards

4 REPLIES
Bronze

Re: VPN Client through firewall to Cisco Pix

Hi Karl.

In an IPSec implementation which uses ESP ( protocol 50 ), the PAT device has no way to translating an ESP packet ( as an ESP packet does not have any port information ). There are some more intelligent FWs/PAT devices which PAT the ESP packet based on the spi values and the isakmp cookie value. So if you PAT device is capable of doing that, then it should work.

However, due to PAT and ESP restrictions, a lot of IPSec vendors are implementing NAT-T ( an ietf draft ) to solve this problem. NAT-T functionality is supposed to be introduced in version 6.3 which is not out yet. If you had a cisco IOS or a VPN 3K concentrator as the head-end VPN device, then this would have been possible now

Hope that answers your question

Jazib

New Member

Re: VPN Client through firewall to Cisco Pix

Hi Jazib

Thanks for pointing me in the right direction and for a great reply. The PAT device I have been looking at is a Speedtouch 510 v4 which does support the use of protocol 50 but I am not sure on the PAT side. Could you recommend a low end adsl router/fw that could do this for me - not cisco as it is only for home and coming out of my pocket.

Thanks again

Bronze

Re: VPN Client through firewall to Cisco Pix

Hi there,

In my personal experience, I have seen many vendors implementing this ESP/PAT feature, also known as "IPSec pass-through. In addition to Cisco routers, I have seen functionality on Linksys, Dlink, SMC based routers.

I am sure there will be many more

Hope that helps

Jazib

New Member

Re: VPN Client through firewall to Cisco Pix

Hi Jazib

Many thanks for advice

Best regards

97
Views
5
Helpful
4
Replies
CreatePlease to create content