05-24-2006 08:34 AM - edited 02-21-2020 02:26 PM
hello
here is the problem i ran into at two of my offices:
some of our employees needs to be access to a vpn outside of our office, and the only work around for them to go out i had to set a static route and assigning public ip.
is there any other way i can do that without create a static route and assigning public ip?
05-24-2006 05:12 PM
It would help if we knew what software version you're running, and even what product you're using :-)
Anyway, I'll assume a PIX. If you're running 6.3 then you can use the command "fixup protocol esp-ike" to enable ONE internal VPN session to use the PAT'd address on th eoutside interface (you don't need to define a static in other words). There is no good way to do this for several internal users though.
If you're running v7.x then unfortunately there's no way to do it as they removed the "esp-ike" fixup, although I have heard that it's coming back in shortly. Again though it'll only probbaly support ONE internal VPN user.
The best way around this is to enable NAT-T (IPSec encapsulation) between the VPN clients and VPN concentrator. Every VPN product will have this functionality nowadays, where the IPSec packets are encapsulated within TCP or UDP packets so that they can be correctly PAT'd by any device. If you can enable this on the VPN ends, then you won't need to make any changes on your firewall, AND it will support several internal users.
05-25-2006 02:29 AM
Interesting ... do you know if the situation is the same when using fixup protocol pptp 1723 ... ONE session only as well ..?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: