Cisco PIX VPN

[sbudzisz]

Has anyone configured VPN access on a PIX.  It is my understanding this will not work if NAT is currently configured on the PIX. Is this correct.  Can the native vpn client with windows 2000 interact with the VPN on a PIX for remote access?

 

[Guest_imported]

Did you ever get a reply to this thread? I have the same issue. I understand from reading microsofts material on the subject that a &quot;nat editor&quot; is required in order to support MS PPTP with NAT. That functionality is built into MS-Proxy but I can not find any material to indicate whether PIX supports it or not.<br><br>Any info appreciated.<br><br>Thanks.

 

[Rbeane]

We gave up on Windows 2000 interaction with the PIX using native IPSec client and used the new vpn client from <A HREF="

http://www.ire.com"

TARGET="_new">

http://www.ire.com</A>

for ipsec.&nbsp;&nbsp;As for NAT we currently have nat setup on the PIX with VPN working.&nbsp;&nbsp;We are still working out an issue with networks on a firewalled DMZ(we use 4 DMZ's) with an ip addressing scheme other than that dmz. Ie.&nbsp;&nbsp;dmz is 192.168.1.0 and for internal setup a route has been created to a router(192.168.1.3) on that dmz to access the network on the other side of that router(164.x.x.x)

 

[jroysdon]

NAT and IPSec/VPN are two unrelated issues. If you are doing NAT, you do have the add extra lines to tell the firewall not to NAT, but rather use the IPSec tunnel, for packets meant to go over the VPN (and not unecrypted out to the public).

MS Win2k does not support IPSec's tunneling mode, nor ISAKMP SA authentication. Until it does, I believe you only choice is to get the IRE client. Cisco ships it under their name as Cisco Secure VPN Client and can be purchased in 100 user licenses for ~$200.

The other solution would be to have a router or another PIX with the appropriate IPSec software running. This is ideal if you have a large number of users at any single remote site and makes it transparent to them.