Re: Site to Client vpn

kjanakiraman · ‎01-16-2004

We have a Cisco pix firewall and configured for vpn for mobile users to connect to our network securely. The mobile users cannot connect to our network for mail access from customer sites since they are behind the firewall and generally they will not entertain making a static mapping in their firewall for vpn access. Is there any way where in the site to client vpn can work from any where irrespective for firewall presence? Is smart Card option good? Is there any other option for secure connectivity no matter whether firewall is present or not?

Thanks in Advance

mostiguy · ‎01-16-2004

do you have isakmp nat-traversal enabled? it allows ipsec encapsulation in udp to work from behind nat.

if the clients are truly firewalling what leaves their network, it may not work. some of our clients filter and proxy everything. the only answer for such a solution is a ssl based vpn

kjanakiraman · ‎01-16-2004

Thanks a lot for your mail. If i do not have nat enabled on the firewall for the client system that is connecting through vpn then vpn will not work. Am i correct? I have not enabled nat-traversl. Is there any link which explains us about configuration of ssl for vpn?

Thanks in Advance

mostiguy · ‎01-17-2004

nat traversal is needed if the reason your users cannot connect is because they are behind a firewall, at the client site, uses NAT.

With out without NAT, those clients could be firewalling and proxying all internet traffic. If that is the case, nat traversal will not help, and the only solution is a ssl based vpn. The 3000 series concentrators will support this soon (if not already). The pix cannot - it only supports IPSec, PPTP and L2tp vpns