IPSec through PIX to VPN Concentrator

[veneficuss]

This is prob a simple question, I have not yet tried it. Figured i would save myself some pain first by asking here

Ok, here is the diagram :

|VPN Client|---|internet|---|our gateway|---|PIX|---|VPN Concentrator|

VPN client is the Cisco 3.5
VPN Concnetrator is the 3015 with newest software
PIX is the 515-UR with an interface dedicated to the VPN

First, the VPN Client must be able to connect to the concentrator, so i have to open these on the pix :

TCP port 10000
UDP port 500 (isakmp)
IP protocol 50 (esp)

Then I just want to pass IPSec through the PIX.
Is this done via
NAT (vpn) 0 access-list <my acl>
?? Is that all there is to it?

 

[yizhar]

HI.

I would use a static instead of nat 0.
Give the concentrator a private ip address like any other protected server (same subnet as pix inside interface), and use static to translate from outside.

If you have or can purchase more interfaces on the pix, you can connect the concentrator to one or two of them. This can give you more control at the pix over unencrypted traffic, in addition to the rules you specify at the concentrator.

I guess you're going to use only 1 interface of the concentrator, right? (this seems to me like the right way for you).

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar