RE: [fw-wiz] PIX 515 and Cisco VPN client from inside

From: Wes Noonan (mailinglists_at_wjnconsulting.com)
Date: 08/30/03

  • Next message: email lists: "RE: [fw-wiz] PIX 515 and Cisco VPN client from inside"
    To: "'Brian Recore'" <brecore@mindsync.net>, "'Marko Kupiainen'" <marko.kupiainen@microcraft.se>
    Date: Fri, 29 Aug 2003 18:58:43 -0500
    
    

    This is dated information. The latest version of PIXOS has no problem with
    IPSEC and NAT/PAT.

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config
    /ipsecint.htm#1057446

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnot
    es/pixrn633.htm#65230

    HTH

    Wes

    > In my experiences you don't want to NAT/PAT the VPN traffic. You do
    > this by using the command "nat 0" There is other commands with it that
    > I can't recall but the point is to NAT/PAT all traffic except the VPN
    > traffic.
    > I had to do this a couple of times in the past. It seems IPSec had
    > problems with the nat traffic.
    >
    > Here is something from cisco
    > http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09
    > 186a00800b6e1a.shtml
    >
    > access-list 101 permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
    > global (outside) 1 199.199.199.3-199.199.199.62 netmask 255.255.255.192
    > nat (inside) 0 access-list 101
    > nat (inside) 1 10.0.0.0 255.0.0.0 0 0
    >
    >
    > This configuration will not translate those addresses with a source
    > address of 10.0.0.0/8 and a destination address of 192.168.1.0/24. It
    > will translate the source address from any traffic initiated from within
    > the 10.0.0.0/8 network and destined for anywhere other than
    > 192.168.1.0/24 into an address from the range 199.199.199.3 -
    > 199.199.199.62.
    >
    >
    >
    > Hope this leads you in the right direction
    >
    > Brian
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: email lists: "RE: [fw-wiz] PIX 515 and Cisco VPN client from inside"