Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
719
Views
0
Helpful
3
Replies

NAT Transparency and PIX

karl.jones
Level 5
Level 5

‎01-21-2003 09:22 AM - edited ‎02-20-2020 10:30 PM

What is NAT Transparency, and why doesnt it work with the PIX, are there any work arounds for this?

If I configure a PIX to receive vpn connections from outside, do I need to open any ports or protocols up on the outside interface or should it just work. I believe everything is denied by default?

Best Regards

0 Helpful
3 Replies 3

stownsend
Level 6
Level 6

‎01-21-2003 09:50 AM

I'm not an expert, as I'm still trying to get things dialed in on my PIX, though I think I can help with a few of your questions.

I'm going to guess you are talking about IPSec, as NAT Transparency is not an Issue with PPTP, not sure about L2TP, I think its bundled with IPSec.

NAT Transparency is the ability to terminate an IPSec VPN Connection from a client that is being NATed. Normally IPSec does not allow for modification of the Packet in transmission so that when it arrives at the PIX its unaltered. If your Client is behind a LinkSys or other SOHO router, that router probably does NAT. Converting your Inside IP to a Public IP. That conversion alters that Packet and the PIX sees this and drops the Packet.

In some SOHO routers you can configure it to allow IPSec Pass-through and allow one client on the inside out and not affect the packet. Though it is spotty at best. I have two LinkSys Routers and it works with one and not the other.

As for termination VPN Connections, the Setup of the PIX would depend on the type of VPN you are implementing. PPTP is pretty quick and easy. IPSec was more complicated for me to get going. The issues I've been struggling with are Authentication, Who's doing it and how the PIX communicates to it. The PIX can authenticate users by itself or with RADIUS, IAS, TAC/ACCS+, ACS, Cert Servers, etc.

I’m trying to use a MS CA Server and having issues. )-;

Good Luck…

Scott<-

0 Helpful

karl.jones
Level 5
Level 5
In response to stownsend

‎01-21-2003 11:26 AM

Hey Thanks Scott for your input

I guess my confusion is with the PIX and NAT transparency. I guess that if a vpn client is going through a pat/nat device, then the pix will drop the pkt, but if youre doing pix - to - pix, it should work ok .... I think this is right. Please correct me if I am wrong.

With regards to VPN connections, do I need to open anything up on the PIX, if not ... how come ?

Regards

0 Helpful

stownsend
Level 6
Level 6
In response to karl.jones

‎01-21-2003 03:39 PM

So you setting up PIX to PIX VPN? Then You would not need NAT Transparancy as both of the OUtside Interfaces onthe PIX should be on the Internet. Unless of course you are being NATed by your upstream provider.

For a PIX to PIX VPN you can connect the two together by using IPSEC and Preshared Keys. Its the quickest and most straight forward.

Here is a link on a simple PIX to PIX Config

http://www.cisco.com/warp/customer/110/38.html

Scott<-

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card