Cisco VPN client through PIX using NAT/PAT

[sunyasee]

Hi Guys!

I have a question about using the VPN client to connect to a remote PIX from behind my own PIX which is running NAT/PAT, previously I have only mananged to get this to work when using static translations for devices that need to use clients. Is there another way without using static translations and still using NAT/PAT? I have read that in the 6.3 version of software there is a new command 'isakmp nat-traversal' is this designed to fix this problem? If so will this command also make it work for other kinds of IPSEC VPN clients?

Thanks for any advice!


----

Sunyasee

 

[SomeNetworkGuy]

What static translations did you use? I having problems connecting to my PIX 515 at work from behind my PIX 501 at home - no problems when i used a linksys firewall.

Thanks

SNG

 

[yizhar]

HI.

> I have read that in the 6.3 version of software there is a new command 'isakmp nat-traversal'
If you upgrade the remote PIX acting as VPN server, then it can help. You can suggest this to the remote pix administrator.

There is another new feature of 6.3 which is called "PAT for ESP" or "fixup protocol esp-ike", but it supports only a single session so it will probably not help "Sunyasee", but can help "SomeNetworkGuy":

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn63.htm#67762

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#1067379

Other options for "Sunyasee":
You can purchase a VPN 3002 hardware client to act as a VPN proxy for your internal hosts.
You can also try using "Easy VPN remote" on your pix firewall, but I don't think that it will work if you have other VPN configuration on your pix.


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar