Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN COncentrator behind PIX

Hello I was wondering if you caould have connection to a 3005 VPN concentrator go through a PIX. FOr instance remote internet user through PIX to VPN Concentrator.

IF you could let me know what needed ports static statements.



Cisco Employee

Re: VPN COncentrator behind PIX

Sure, although you have to be careful with NAT/PAT, but I'm a little unclear whether the client is behind the PIX or the concentrator is.

If the client is inside the PIX, then you can do one of a few things:

- On the PIX create a static one-to-one address translation for the inside host so that it will be NAT'd, not PAT'd. If you do this, you also need to create an access-list that allows IPSec (IP protocol 50) back in through the PIX, cause the PIX won't open a hole for it automatically.

- Use IPsec over UDP encapsulation on the 3005 and the client, this encapsulates the IPSec packets into UDP packets that can then be PAT'd OK by the PIX. Unless you have a valid global IP address for each internal client, this is probably the way to go.

- Use IPSec over TCP in the 3005 and client, same principle as IPSec over UDP but the packets are encapsulated in TCP (obviously).

If the concentrator is inside the PIX, you have to create a one-to-one static translation for it's Public interfaces IP address and then allow ISAKMP and IPSec through to it. Something like:

> static (inside,outside) netmask

> access-list inbound permit esp any host

> access-list inbound permit udp any host eq 500

> access-group inbound in interface outside