RE: PIX Client & WIN2000 Internet sharing [7:58062]

Mon, 25 Nov 2002 13:13:56 -0800 

Guys,

    IPSec will work with PAT, with some caveats.  On the device doing the
NAT/PAT, you need a static NAT entry to send IKE and IPSec to the designated
inside device.  Like this:

ip nat inside source list 100 interface Ethernet0/0 overload
(Standard PAT statement)
ip nat inside source static esp 192.168.0.2 interface Ethernet0/0
(IPSec)
ip nat inside source static udp 192.168.0.2 500 interface Ethernet0/0 500
(IKE/ISAKMP)

By doing this, inside device 192.168.0.2 can connect to an IPSec VPN, using
the 3.x client.  I'm doing it right now.  Of course, if you've got more than
1 internal needing to dial, you'll need more external addresses.  Now
whether the M$ ICS can be told to send incoming ISAKMP and IPSec to a
certain internal client is another question...

Chuck Church
CCIE #8776, MCNE, MCSE



>
> This is correct.  IPSec will NOT through PAT.  At the moment, Pix does
> NOT
> support "NAT traversal (udp encapsulation)".  Therefore, trying to
> connect
> to a Pix behind a NAT device with vpn dialer will not work.  VPN
> concentrators, on the other hand will work.  Or better yet, throw away
> your Pix and put in either a CheckPoint NG Firewall or linux firewall
> (iptables).  Both CP and Linux
> are "stateful" firewalls.  If you want to stick with Pix, wait until
> version 6.3 where it will support "NAT traversal (UDP encapsulation)".
>
>  Edward Sohn  wrote:nope, it won't work...ipsec needs it's own IP
> address and not PAT. i've tested this extensively, and it won't
> work...if anyone else can comment, please do.
>
> either way, best thing to do is get a few statics from your ISP and
> statically translate...
>
> ed
>
> - -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Derek
> Sent: Sunday, November 24, 2002 9:12 AM
> To: [EMAIL PROTECTED]
> Subject: PIX Client & WIN2000 Internet sharing [7:57988]
>
>
> I have a home network which uses an ADSL line which is shared via
> Internet Connection Sharing. I have 3 pc's in the network and they can
> all access the internet. From these pc's i am trying to connect to my
> office VPN.I Can ping the address but cannot connect via Dialer. The VPN
> connection works when Internet Sharing is disabled. Is their anyway
> around this ????????? Do you Yahoo!? Yahoo! Mail Plus - Powerful.
> Affordable. Sign up now




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58062&t=58062
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to