Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

vpn out access


here is the problem i ran into at two of my offices:

some of our employees needs to be access to a vpn outside of our office, and the only work around for them to go out i had to set a static route and assigning public ip.

is there any other way i can do that without create a static route and assigning public ip?

Cisco Employee

Re: vpn out access

It would help if we knew what software version you're running, and even what product you're using :-)

Anyway, I'll assume a PIX. If you're running 6.3 then you can use the command "fixup protocol esp-ike" to enable ONE internal VPN session to use the PAT'd address on th eoutside interface (you don't need to define a static in other words). There is no good way to do this for several internal users though.

If you're running v7.x then unfortunately there's no way to do it as they removed the "esp-ike" fixup, although I have heard that it's coming back in shortly. Again though it'll only probbaly support ONE internal VPN user.

The best way around this is to enable NAT-T (IPSec encapsulation) between the VPN clients and VPN concentrator. Every VPN product will have this functionality nowadays, where the IPSec packets are encapsulated within TCP or UDP packets so that they can be correctly PAT'd by any device. If you can enable this on the VPN ends, then you won't need to make any changes on your firewall, AND it will support several internal users.

Re: vpn out access

Interesting ... do you know if the situation is the same when using fixup protocol pptp 1723 ... ONE session only as well ..?

CreatePlease to create content