Re: [fw-wiz] PIX 515 and Cisco VPN client from inside
From: Brian Recore (brecore_at_mindsync.net)
To: Marko Kupiainen <firstname.lastname@example.org> Date: Fri, 29 Aug 2003 10:12:48 -0700
Marko Kupiainen wrote:
>Im new to the list and apologize if this question being asked before.
>I read through 2003 archives and couldnt find anything similar.
>Our company uses a PIX 515 with 3 legs, OUTSIDE, DMZ and INSIDE
>We have users doing VPN tunnels from their homes with Cisco VPN client 4 and
>terminating the tunnels at the PIX. This works great.
>But we cant create tunnels from INSIDE and terminating at other customers
>endpoints. The tunnels are easily created if we work outside our PIX.
>The PIX 515 do PAT for all INSIDE connections using outside interface IP.
>Is there any hooks when doing VPN over PAT with Cisco clients ?
>CIO Microcraft AB
>firewall-wizards mailing list
In my experiences you don't want to NAT/PAT the VPN traffic. You do
this by using the command "nat 0" There is other commands with it that
I can't recall but the point is to NAT/PAT all traffic except the VPN
I had to do this a couple of times in the past. It seems IPSec had
problems with the nat traffic.
Here is something from cisco
access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
global (outside) 1 220.127.116.11-18.104.22.168 netmask 255.255.255.192
nat (inside) 0 access-list 101
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
This configuration will not translate those addresses with a source
address of 10.0.0.0/8 and a destination address of 192.168.1.0/24. It
will translate the source address from any traffic initiated from within
the 10.0.0.0/8 network and destined for anywhere other than
192.168.1.0/24 into an address from the range 22.214.171.124 -
Hope this leads you in the right direction
firewall-wizards mailing list