RE: [fw-wiz] Clients cant access pix w/ vpn from behind nat devices using the newest cisco client.
From: Melson, Paul (PMelson_at_sequoianet.com)
To: "Vincent Martin" <VMartin@4service.net>, <firstname.lastname@example.org> Date: Wed, 22 Oct 2003 13:00:01 -0400
Part of the issue is that the NAT device is changing the source ports on
the VPN client, which causes problems for the PIX unless `isakmp
nat-traversal` (which, as you said, is available in PIX OS 6.3) is set
in the config. Depending on the NAT device, you may be able to
statically map the source port based on the destination port and/or
address. In some D-Link, Linksys, and probably other SOHO products,
there is a feature called "IPSec Passthrough" that can be enabled. On a
Linux or *BSD type firewall, you can do this manually. With pf, you
want to use 'static-port'. Here is the nat rule from pf.conf on my
OpenBSD firewall. The interface and network macros are defined
elsewhere in the config, but you get the idea.
nat on $ext_if from 10.0.0.247/32 to $vpn_nets -> ($ext_if) static-port
I am having some problems connecting to a pix firewall vpn connection
the cisco client when the clients are behind a nat device to the
Is there a way to let them connect without giving them a routable ip
or modifying there routers at all? Have any of you ever had to get past
this problem? Is it possible to get past this problem? I am new to pix
I have done some research. It seems that we need version 6.3 of the OS
that possibly doing nat traversal would help. All this is configured
though. Any help would be great. Thanks a lot.
firewall-wizards mailing list