VPN COncentrator behind PIX

dedube23 · ‎01-28-2003

Hello I was wondering if you caould have connection to a 3005 VPN concentrator go through a PIX. FOr instance remote internet user through PIX to VPN Concentrator.

IF you could let me know what needed ports static statements.

Thanks

David

gfullage · ‎01-28-2003

Sure, although you have to be careful with NAT/PAT, but I'm a little unclear whether the client is behind the PIX or the concentrator is.

If the client is inside the PIX, then you can do one of a few things:

- On the PIX create a static one-to-one address translation for the inside host so that it will be NAT'd, not PAT'd. If you do this, you also need to create an access-list that allows IPSec (IP protocol 50) back in through the PIX, cause the PIX won't open a hole for it automatically.

- Use IPsec over UDP encapsulation on the 3005 and the client, this encapsulates the IPSec packets into UDP packets that can then be PAT'd OK by the PIX. Unless you have a valid global IP address for each internal client, this is probably the way to go.

- Use IPSec over TCP in the 3005 and client, same principle as IPSec over UDP but the packets are encapsulated in TCP (obviously).

If the concentrator is inside the PIX, you have to create a one-to-one static translation for it's Public interfaces IP address and then allow ISAKMP and IPSec through to it. Something like:

> static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255

> access-list inbound permit esp any host 200.1.1.1

> access-list inbound permit udp any host 200.1.1.1 eq 500

> access-group inbound in interface outside