Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
3
Replies

Using VPN Client outbound from behind a PIX

Go to solution
drumrb0y
Level 1
Level 1

‎02-17-2006 12:43 PM

From what I understand, a PIX can either function as a VPN endpoint for IPsec tunnels, or allow IPsec traffic to pass through it to other endpoints behind it; my PIX is an endpoint, but there are some users who wish to use VPN Client to connect to outside points beyond the firewall.

Is there a way to configure a PIX to both pass-through IPsec traffic AND be an endpoint?

On a related note, can two software VPN Client hosts connect to each other?

Thanks,

Marc

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jackko
Level 7
Level 7

‎02-17-2006 06:33 PM

my company pix does exactly what you posted, there are lan-lan vpn and we still establish vpn to other businesses via vpn client software.

regarding the pass-through, there shouldn't require any extra acl or configuration assuming there is no outbound acl on the pix. one matter should be noticed is that the other end (i.e. the termination point of the remote vpn client) has to permit nat-traversal since the local pix usually perform nat/pat.

on the other hand, the vpn directly between two clients is not feasible as the name suggested (they are both client).

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jackko
Level 7
Level 7

‎02-17-2006 06:33 PM

my company pix does exactly what you posted, there are lan-lan vpn and we still establish vpn to other businesses via vpn client software.

regarding the pass-through, there shouldn't require any extra acl or configuration assuming there is no outbound acl on the pix. one matter should be noticed is that the other end (i.e. the termination point of the remote vpn client) has to permit nat-traversal since the local pix usually perform nat/pat.

on the other hand, the vpn directly between two clients is not feasible as the name suggested (they are both client).

0 Helpful

Go to solution
drumrb0y
Level 1
Level 1
In response to jackko

‎02-20-2006 06:27 AM

Thanks for the reply;

It's good to know that outbound VPN is possible with no explicit configuration; we do have an outbound ACL, so should there be any permissions related to VPN-used ports that you know of?

The PIX does NAT outbound, also, so I guess we will have to make sure that the remote endpoint does NAT-traversal (unless the client host has a static translation, which is unlikely).

Marc

0 Helpful

Go to solution
cmorris_DRI
Level 1
Level 1
In response to drumrb0y

‎02-23-2006 01:03 PM

If you are doing Port address translation you had to issue the isakmp nat-traversal command. This is not part of the access-list.

0 Helpful
Customers Also Viewed These Support Documents