Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
5
Helpful
4
Replies

VPN Client through firewall to Cisco Pix

karl.jones
Level 1
Level 1

‎01-10-2003 04:46 PM - edited ‎02-21-2020 12:16 PM

Hi All

I am installing adsl in the home and need to create a vpn between cisco vpn client software on a winxp client and a pix firewall in our offices. I will be using a cheap firewall at home to protect my home pc's from the internet. This will have an adsl connection and will be doing PAT as I only have one public address.

Can I create a vpn between the cisco vpn client and the pix firewall through my adsl router which will be running PAT. From what I have understood from a lot of the posts that I have read is that a problem arises when more than two people create a vpn to the same pix when using pat on the local fw/router. This shouldnt apply to me as I will only ever require one vpn tunnel at anyone time between my home and work.

Could anyone please clarify if this will work ok, any advice here much appreciated as I have no experience in this field.

Regards

Labels:
0 Helpful
4 Replies 4

jfrahim
Level 5
Level 5

‎01-11-2003 12:23 PM

Hi Karl.

In an IPSec implementation which uses ESP ( protocol 50 ), the PAT device has no way to translating an ESP packet ( as an ESP packet does not have any port information ). There are some more intelligent FWs/PAT devices which PAT the ESP packet based on the spi values and the isakmp cookie value. So if you PAT device is capable of doing that, then it should work.

However, due to PAT and ESP restrictions, a lot of IPSec vendors are implementing NAT-T ( an ietf draft ) to solve this problem. NAT-T functionality is supposed to be introduced in version 6.3 which is not out yet. If you had a cisco IOS or a VPN 3K concentrator as the head-end VPN device, then this would have been possible now

Hope that answers your question

Jazib

karl.jones
Level 1
Level 1
In response to jfrahim

‎01-11-2003 03:55 PM

Hi Jazib

Thanks for pointing me in the right direction and for a great reply. The PAT device I have been looking at is a Speedtouch 510 v4 which does support the use of protocol 50 but I am not sure on the PAT side. Could you recommend a low end adsl router/fw that could do this for me - not cisco as it is only for home and coming out of my pocket.

Thanks again

0 Helpful

jfrahim
Level 5
Level 5
In response to karl.jones

‎01-11-2003 08:58 PM

Hi there,

In my personal experience, I have seen many vendors implementing this ESP/PAT feature, also known as "IPSec pass-through. In addition to Cisco routers, I have seen functionality on Linksys, Dlink, SMC based routers.

I am sure there will be many more

Hope that helps

Jazib

0 Helpful

karl.jones
Level 1
Level 1
In response to jfrahim

‎01-12-2003 05:35 AM

Hi Jazib

Many thanks for advice

Best regards

0 Helpful
Customers Also Viewed These Support Documents