Re: [fw-wiz] Cisco PIX VPN Pass-Through

From: Nick Chettle (lists_at_mogmail.net)
Date: 12/13/04

Next message: Carson Gaspar: "Re: [fw-wiz] How to Save The World"

Previous message: Frederick M Avolio: "Re: [fw-wiz] How to Save The World"
Maybe in reply to: Nick Chettle: "[fw-wiz] Cisco PIX VPN Pass-Through"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Mon, 13 Dec 2004 16:15:09 +0000

Hi Jason,

Thanks for the advice.

In order to enable NAT traversal I have to enable isakmp on the internal
interface. When I do that, it tries to terminate the VPN on the PIX
itself rather than passing the isakmp packets through to the internet.
Is there anyway to tell it not to do that?

Thanks, Nick

Hi Nick,

It doesn't look like you have the "isakmp nat-traversal" command
enabled. Hope this helps, from Cisco documentation:

isakmp nat-traversal

Network Address Translation (NAT), including Port Address
Translation (PAT), is used in many networks where IPSec is also
used, but there are a number of incompatibilities that prevent
IPSec packets from successfully traversing NAT devices. NAT
traversal enables ESP packets to pass through one or more NAT
devices.

The firewall supports NAT traversal as described by Version 2 and
Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft,
available at http://www.ietf.org/html.charters/ipsec-charter.html,
and NAT traversal is supported for both dynamic and static crypto
maps. NAT traversal is disabled by default on the firewall.

To enable NAT traversal, check that ISAKMP is enabled (you can
enable it with the isakmp enable if_name command) and then use the
isakmp nat-traversal [natkeepalive] command. (This command appears
in the configuration if both ISAKMP is enabled and NAT traversal
is enabled.) If you have enabled NAT traversal, you can disable it
with the no isakmp nat-traversal command. Valid values for
natkeepalive are from 10 to 3600 seconds. The default is 20
seconds.

Jason
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Carson Gaspar: "Re: [fw-wiz] How to Save The World"

Previous message: Frederick M Avolio: "Re: [fw-wiz] How to Save The World"
Maybe in reply to: Nick Chettle: "[fw-wiz] Cisco PIX VPN Pass-Through"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [SLE] Dialup problem
... ATD command in that respect. ... The X command enables tone detection options used in the dialing ... supplied with your modem for applicable X commands and result codes. ... X0 Busy and dial tone detection are disabled. ...
(SuSE)
Re: Q: IA64 Hyper-Threading
... First I wonder why hyper-threading is disabled by default, ... When Ignite-UX is installing HP-UX, by default it enables hyperthreading in firmware using "setboot -m on" but leaves it disabled in the kernel, which is the behavior Ulrich has observed. ... A reboot is necessary to cause the "setboot -m" command to take effect. ...
(comp.sys.hp.hpux)
Re: Totem=noshow
... command completes? ... It only enables it for that instance. ... Afterwards, whatever defaults you ... have set in your YUM configuration file are in effect. ...
(Fedora)
Re: Totem=noshow
... command completes? ... It only enables it for that instance. ... Afterwards, whatever defaults you ... have set in your YUM configuration file are in effect. ...
(Fedora)
Re: code not running on initial open
... references, compacting and repairing the database, putting debug.print ... Visual Basic for Applications, Microsoft ... > Is there some sort of code that Enables the command button. ...
(microsoft.public.access.formscoding)