Re: VPN + NAT , can not work using CSPM 232i

wongsusanto · ‎11-11-2001

Hi,

I tried to configure VPN+NAT(overload+static). It could not work....Is CSPM not intended for that configuration ?? when I tried to configure NAT then configure VPN, I didn't see the configuration for vpn in the command section ....and when I tried to upload to PIX...I didn't see such command for VPN purpose ..... Can Somebody help me please

thanks in advance.....

msitzman · ‎11-13-2001

CSPM 2.3.2.i does not include the firewall/vpn enhancements that are required to allow this type of IPsec configuration. You will need to use the 'f' train which is available for download. The only thing to consider is that if you are also managing IDS with, you need to continue to use the 'i' train for those sensors.

Solution:

Install another CSPM server and use the 'f' train for the firewall/vpn maganement. This software can be downloaded if you have a cco account from the following location:

http://www.cisco.com/cgi-bin/tablebuild.pl/cspm

Thanks,

Marcus

marcabal · ‎11-14-2001

I talked with one of our sensor testers. He has confirmed that CSPM will not currently support this configuration for IPSEC between CSPM and the sensor.

The UDP checksums are changed when using the IPSEC method that was necessary.

NT checks the UDP checksums and doesn't let the packet through because the checksums won't match.

On the Unix Director and the Sensor we can disable the UDP checksums in order to get IPSEC to work, but we couldn't do it on CSPM with the IRE client being used.

DDTS Issue: CSCdu56454