Hi, All,
I recently had cause to connect a client inside our private
network(10.x.x.x) through a PIX with static NAT. I already know of the
issues with PPTP (at least, the MPPC implementation) and NAT. However,
this instance was between an NT box running client software and a Nortel
Contivity (not our choice, client supplied gear). The interesting point
was that the only way we could find to allow the IPSEC connection was to
open ALL IP traffic, between the two, at the PIX.
This was apparently because (and I confirmed this with TAC) the PIX does
not allow the declaration of AH or ESP protocol permit statements. TCP,
UDP, GRE, ISAKMP,... but no joy with protocol 50 or 51 (not to mention
SKIP for the UNIX folks out there ).
I was wondering if anyone else out tyhere has fought this dragon? TAC
hinted that this "small oversight" might be corrected in a future release
of the IOS.
Thanks in Advance,
Stan M. Hoffman, MCSE, CCNA
Senior Network Engineer
Rare Medium
Houston, TX
smime.p7s
