Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using VPN Client outbound from behind a PIX

From what I understand, a PIX can either function as a VPN endpoint for IPsec tunnels, or allow IPsec traffic to pass through it to other endpoints behind it; my PIX is an endpoint, but there are some users who wish to use VPN Client to connect to outside points beyond the firewall.

Is there a way to configure a PIX to both pass-through IPsec traffic AND be an endpoint?

On a related note, can two software VPN Client hosts connect to each other?

Thanks,

Marc

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Using VPN Client outbound from behind a PIX

my company pix does exactly what you posted, there are lan-lan vpn and we still establish vpn to other businesses via vpn client software.

regarding the pass-through, there shouldn't require any extra acl or configuration assuming there is no outbound acl on the pix. one matter should be noticed is that the other end (i.e. the termination point of the remote vpn client) has to permit nat-traversal since the local pix usually perform nat/pat.

on the other hand, the vpn directly between two clients is not feasible as the name suggested (they are both client).

3 REPLIES
Gold

Re: Using VPN Client outbound from behind a PIX

my company pix does exactly what you posted, there are lan-lan vpn and we still establish vpn to other businesses via vpn client software.

regarding the pass-through, there shouldn't require any extra acl or configuration assuming there is no outbound acl on the pix. one matter should be noticed is that the other end (i.e. the termination point of the remote vpn client) has to permit nat-traversal since the local pix usually perform nat/pat.

on the other hand, the vpn directly between two clients is not feasible as the name suggested (they are both client).

New Member

Re: Using VPN Client outbound from behind a PIX

Thanks for the reply;

It's good to know that outbound VPN is possible with no explicit configuration; we do have an outbound ACL, so should there be any permissions related to VPN-used ports that you know of?

The PIX does NAT outbound, also, so I guess we will have to make sure that the remote endpoint does NAT-traversal (unless the client host has a static translation, which is unlikely).

Marc

New Member

Re: Using VPN Client outbound from behind a PIX

If you are doing Port address translation you had to issue the isakmp nat-traversal command. This is not part of the access-list.

138
Views
0
Helpful
3
Replies
CreatePlease login to create content