In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port.
Doug -----Original Message----- From: ""[EMAIL PROTECTED] [mailto:""[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -----Original Message----- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee ""Lidiya White"" wrote in message news:[EMAIL PROTECTED]... > PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. > It all depends on the device that is between your client and PIX, that > is doing PAT. > IPSec uses ESP protocol, that doesn't have ports, so how can you perform > PAT (port address translation) for a protocol that doesn't understand > port concept? > Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). > So if the router/device that is doing PAT is IPSec aware, then you > should be able to pass IPSec through. If not, then you have to make sure > that one-to-one address translation happens for your VPN clients, not > one-to-many (PAT)... > Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47490&t=47430 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
