VPN clients behind PIX using PAT?

gglynn · ‎07-16-2002

Does anyone know if there is any work being done to enable some sort of IPsec ESP session multiplexing for PIX firewalls using PAT? I know that it's not possible today, but SonicWALL and Nexland devices can already support multiple IPsec client connections initiated from nodes on the inside interface of the firewall, and it is becoming increasingly frustrating that the PIX cannot.

paqiu · ‎07-16-2002

Cisco unity VPN Client 3.x can use "ipsec over UDP" or "ipsec over tcp" to a VPN 3000 concentrator.

So multiple VPN clients connections can initiated from the hosts behind the PIX doing PAT.

Acutally this feature will be better, because it does not matter the PAT equipment is a PIX, router or even Microsoft ICS (internet connection share), the IPSEC traffic can always pass through.

This feature will be implemented to PIX and IOS router soon. (VPN server end equipment).

If you are using Cisco unity VPN client 3.x., it should be all right when you are connecting to remote VPN server through a PIX.

Best Regards,

gglynn · ‎07-17-2002

I'm aware that CVPNC 3.x can encapsulate IPsec in TCP or UDP for tunnels that terminate on VPN 3000 Concentrators. I've used the feature several times for several customers, but other customers and my own staff frequently have the need to tunnel to a PIX through a PIX (with PAT). Other customers need to tunnel to a non-Cisco IPsec VPN server with a non-Cisco IPsec client (like the SafeNet Soft-PK client, for instance). Even once "IPsec over TCP/UDP" is implemented in IOS and PIX OS (is there any ETA information about this?), the latter will still be a problem.

Cheers,

George