02-17-2006 12:43 PM
From what I understand, a PIX can either function as a VPN endpoint for IPsec tunnels, or allow IPsec traffic to pass through it to other endpoints behind it; my PIX is an endpoint, but there are some users who wish to use VPN Client to connect to outside points beyond the firewall.
Is there a way to configure a PIX to both pass-through IPsec traffic AND be an endpoint?
On a related note, can two software VPN Client hosts connect to each other?
Thanks,
Marc
Solved! Go to Solution.
02-17-2006 06:33 PM
my company pix does exactly what you posted, there are lan-lan vpn and we still establish vpn to other businesses via vpn client software.
regarding the pass-through, there shouldn't require any extra acl or configuration assuming there is no outbound acl on the pix. one matter should be noticed is that the other end (i.e. the termination point of the remote vpn client) has to permit nat-traversal since the local pix usually perform nat/pat.
on the other hand, the vpn directly between two clients is not feasible as the name suggested (they are both client).
02-17-2006 06:33 PM
my company pix does exactly what you posted, there are lan-lan vpn and we still establish vpn to other businesses via vpn client software.
regarding the pass-through, there shouldn't require any extra acl or configuration assuming there is no outbound acl on the pix. one matter should be noticed is that the other end (i.e. the termination point of the remote vpn client) has to permit nat-traversal since the local pix usually perform nat/pat.
on the other hand, the vpn directly between two clients is not feasible as the name suggested (they are both client).
02-20-2006 06:27 AM
Thanks for the reply;
It's good to know that outbound VPN is possible with no explicit configuration; we do have an outbound ACL, so should there be any permissions related to VPN-used ports that you know of?
The PIX does NAT outbound, also, so I guess we will have to make sure that the remote endpoint does NAT-traversal (unless the client host has a static translation, which is unlikely).
Marc
02-23-2006 01:03 PM
If you are doing Port address translation you had to issue the isakmp nat-traversal command. This is not part of the access-list.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide