Sure, although you have to be careful with NAT/PAT, but I'm a little unclear whether the client is behind the PIX or the concentrator is.
If the client is inside the PIX, then you can do one of a few things:
- On the PIX create a static one-to-one address translation for the inside host so that it will be NAT'd, not PAT'd. If you do this, you also need to create an access-list that allows IPSec (IP protocol 50) back in through the PIX, cause the PIX won't open a hole for it automatically.
- Use IPsec over UDP encapsulation on the 3005 and the client, this encapsulates the IPSec packets into UDP packets that can then be PAT'd OK by the PIX. Unless you have a valid global IP address for each internal client, this is probably the way to go.
- Use IPSec over TCP in the 3005 and client, same principle as IPSec over UDP but the packets are encapsulated in TCP (obviously).
If the concentrator is inside the PIX, you have to create a one-to-one static translation for it's Public interfaces IP address and then allow ISAKMP and IPSec through to it. Something like:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...