Chuck, Please correct me if I am wrong but you are using a router with PAT, and with a router you will need those statics. But on the PIX you do not need to have statics because it supports ipsec passthrough, I have no statics on my PIX at all.
-----Original Message----- From: Chuck Church [mailto:[EMAIL PROTECTED]] Sent: Monday, November 25, 2002 4:03 PM To: [EMAIL PROTECTED] Subject: RE: PIX Client & WIN2000 Internet sharing [7:58062] Guys, IPSec will work with PAT, with some caveats. On the device doing the NAT/PAT, you need a static NAT entry to send IKE and IPSec to the designated inside device. Like this: ip nat inside source list 100 interface Ethernet0/0 overload (Standard PAT statement) ip nat inside source static esp 192.168.0.2 interface Ethernet0/0 (IPSec) ip nat inside source static udp 192.168.0.2 500 interface Ethernet0/0 500 (IKE/ISAKMP) By doing this, inside device 192.168.0.2 can connect to an IPSec VPN, using the 3.x client. I'm doing it right now. Of course, if you've got more than 1 internal needing to dial, you'll need more external addresses. Now whether the M$ ICS can be told to send incoming ISAKMP and IPSec to a certain internal client is another question... Chuck Church CCIE #8776, MCNE, MCSE > > This is correct. IPSec will NOT through PAT. At the moment, Pix does > NOT support "NAT traversal (udp encapsulation)". Therefore, trying to > connect > to a Pix behind a NAT device with vpn dialer will not work. VPN > concentrators, on the other hand will work. Or better yet, throw away > your Pix and put in either a CheckPoint NG Firewall or linux firewall > (iptables). Both CP and Linux > are "stateful" firewalls. If you want to stick with Pix, wait until > version 6.3 where it will support "NAT traversal (UDP encapsulation)". > > Edward Sohn wrote:nope, it won't work...ipsec needs it's own IP > address and not PAT. i've tested this extensively, and it won't > work...if anyone else can comment, please do. > > either way, best thing to do is get a few statics from your ISP and > statically translate... > > ed > > - -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf > Of Derek > Sent: Sunday, November 24, 2002 9:12 AM > To: [EMAIL PROTECTED] > Subject: PIX Client & WIN2000 Internet sharing [7:57988] > > > I have a home network which uses an ADSL line which is shared via > Internet Connection Sharing. I have 3 pc's in the network and they can > all access the internet. From these pc's i am trying to connect to my > office VPN.I Can ping the address but cannot connect via Dialer. The > VPN connection works when Internet Sharing is disabled. Is their > anyway around this ????????? Do you Yahoo!? Yahoo! Mail Plus - > Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58063&t=58062 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
