How does this config work?

Shaw, Dale Dale.Shaw at praxa.com.au
Sun Jul 8 06:06:35 EDT 2001


Hi all,

I guess questions are usually along the lines of 'how do I get this to
work?'.. well, this one's different. I've inherited it, it's working,
and I don't really know how :-)

The scenario is this.. PIX firewall running (old) V4.4(1), PC on 'inside'
network with the old 'Cisco Secure VPN Client' (V1.0 or V1.1 - not sure
yet) accessing a host on the Internet over an IPSec VPN. I don't know
what the peer is, but I presume it's a Cisco somethingorother.

The PC has an RFC1918 address and the PIX *IS* doing NAT. The PIX has a
'static' IP assignment mapping the internal host's IP to a global address
and although DHCP is in use on the inside network, this particular PC
has a reservation so it's effectively static.

Now, I thought that transport-mode ESP and NAT didn't play well or at
all.. am I missing something? The PC uses a digital certificate for
authentication if that makes any difference. I'm investigating this
because I want to tighten up the conduits on the PIX - am I right in
saying that the only conduits I need for this are for ESP from the peer
to the global address of our PC?

Right now there are a bunch of udp/isakmp and esp conduits.

Cheers,
Dale

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list