I am installing adsl in the home and need to create a vpn between cisco vpn client software on a winxp client and a pix firewall in our offices. I will be using a cheap firewall at home to protect my home pc's from the internet. This will have an adsl connection and will be doing PAT as I only have one public address.
Can I create a vpn between the cisco vpn client and the pix firewall through my adsl router which will be running PAT. From what I have understood from a lot of the posts that I have read is that a problem arises when more than two people create a vpn to the same pix when using pat on the local fw/router. This shouldnt apply to me as I will only ever require one vpn tunnel at anyone time between my home and work.
Could anyone please clarify if this will work ok, any advice here much appreciated as I have no experience in this field.
In an IPSec implementation which uses ESP ( protocol 50 ), the PAT device has no way to translating an ESP packet ( as an ESP packet does not have any port information ). There are some more intelligent FWs/PAT devices which PAT the ESP packet based on the spi values and the isakmp cookie value. So if you PAT device is capable of doing that, then it should work.
However, due to PAT and ESP restrictions, a lot of IPSec vendors are implementing NAT-T ( an ietf draft ) to solve this problem. NAT-T functionality is supposed to be introduced in version 6.3 which is not out yet. If you had a cisco IOS or a VPN 3K concentrator as the head-end VPN device, then this would have been possible now
Thanks for pointing me in the right direction and for a great reply. The PAT device I have been looking at is a Speedtouch 510 v4 which does support the use of protocol 50 but I am not sure on the PAT side. Could you recommend a low end adsl router/fw that could do this for me - not cisco as it is only for home and coming out of my pocket.
In my personal experience, I have seen many vendors implementing this ESP/PAT feature, also known as "IPSec pass-through. In addition to Cisco routers, I have seen functionality on Linksys, Dlink, SMC based routers.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :