VPN traffic can pass through the PAT, if the device that does PAT is IPSec aware. Remember, that device will only see the encrypted/encapsulated traffic, so the ip header will have ip src: your client's public ip; dst: PIX's outside interface. Doesn't matter what your pool is configured for... It's not just in the theory. From my own experience, I had 3 VPN clients that were behind Cisco 806, that was configured for PAT, simultaneously connecting to the same PIX via VPN and pass traffic.
-- Lidiya White -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 26, 2002 10:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -----Original Message----- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee ""Lidiya White"" wrote in message news:[EMAIL PROTECTED]... > PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. > It all depends on the device that is between your client and PIX, that > is doing PAT. > IPSec uses ESP protocol, that doesn't have ports, so how can you perform > PAT (port address translation) for a protocol that doesn't understand > port concept? > Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). > So if the router/device that is doing PAT is IPSec aware, then you > should be able to pass IPSec through. If not, then you have to make sure > that one-to-one address translation happens for your VPN clients, not > one-to-many (PAT)... > Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47530&t=47430 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
