vpn out access

alexus · ‎05-24-2006

hello

here is the problem i ran into at two of my offices:

some of our employees needs to be access to a vpn outside of our office, and the only work around for them to go out i had to set a static route and assigning public ip.

is there any other way i can do that without create a static route and assigning public ip?

gfullage · ‎05-24-2006

It would help if we knew what software version you're running, and even what product you're using :-)

Anyway, I'll assume a PIX. If you're running 6.3 then you can use the command "fixup protocol esp-ike" to enable ONE internal VPN session to use the PAT'd address on th eoutside interface (you don't need to define a static in other words). There is no good way to do this for several internal users though.

If you're running v7.x then unfortunately there's no way to do it as they removed the "esp-ike" fixup, although I have heard that it's coming back in shortly. Again though it'll only probbaly support ONE internal VPN user.

The best way around this is to enable NAT-T (IPSec encapsulation) between the VPN clients and VPN concentrator. Every VPN product will have this functionality nowadays, where the IPSec packets are encapsulated within TCP or UDP packets so that they can be correctly PAT'd by any device. If you can enable this on the VPN ends, then you won't need to make any changes on your firewall, AND it will support several internal users.

Fernando_Meza · ‎05-25-2006

Interesting ... do you know if the situation is the same when using fixup protocol pptp 1723 ... ONE session only as well ..?