Firewall Wizards mailing list archives

Re: pix 515 vpn client using PAT

From: "Scott C. Best" <sbest () best com>
Date: Tue, 17 Jul 2001 09:19:54 -0700 (PDT)

Eric:
        Heya. Quick addendum:

AFAIK, the PIX 6.0 does not support IPSec in NAT mode (actually a UDP 
encapsulation of IPSec & IKE packets). The Cisco IPSec VPN3000 client
does support IPSec in NAT mode as well as the VPN3000 concentrators.

You should try to tweak your NAT box to always forward UDP/500 + ESP to
the IPSec client behind it.


        Not sure it'll work with every IPSec client, or every
client OS, but I forwarded UDP/500+ESP across a NAT'ing Linux
box to the LAN's *broadcast address*, and it allowed multiple
WinNT clients behind the firewall to VPN simultaneously. It
was one of those "I wonder if this works" sort of things. :)
Suggested it to a PPTP user and they reported similar results
with GRE.

cheers,
Scott


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

pix 515 vpn client using PAT Daniel Handley (Jul 11)
- Re: pix 515 vpn client using PAT Eric Vyncke (Jul 17)
- <Possible follow-ups>
- Re: pix 515 vpn client using PAT Scott C. Best (Jul 18)