The problem we have at present is that the Mac client, which is only available on OSX does not have a built in personal firewall, there is a firewall included with OSX, but it does block the building of the encrypted tunnel between devices so this has been switched off.
The policy on my concentrators will not let a connection be established unless it can enable the firewall on the client machine, and due to the Macs not having one the connection fails.
My Question: is there any workaround to make my Macs OSX client tunnel securely with built in personal firewall enabled.
At this point the MAC client has no inbuilt firewall capability. If your concentrator group is set up to only allow connections with firewalls enabled, you'll have to set up a second group that has no firewall options set and have your Mac clients connect into this group. Don't allow split tunnelling within this group and that'll stop anyone on the Internet from being able to get to the Mac while the tunnel is established.
I believe a firewall option will be available for the Mac client in the future, but at this time there's nothing you can do.
It's now 3 months later....when will we see a Mac OsX vpn client that works with Cisco's integrated firewall push policy? Quarantining the Mac users into a subgroup is not an adequate solution for our company.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...