[VPN] Cisco IPSec VPN client through NAT/PAT

Joel M Snyder Joel.Snyder at Opus1.COM
Sat Oct 19 11:15:54 EDT 2002


The short answer is, "don't do that."  Although the PIX has capabilities
for remote access VPN, it's such an awful solution that learning about
it is kind of like learning about token ring for your CCIE: yeah, you
can do it, but you really wouldn't.  

It wouldn't surprise me if there is no NAT traversal capability in the
PIX, or if it only worked for NAT and not NAPT.  

Cisco has a MUCH BETTER solution in the 3000 series for remote access. 
It also has site-to-site capabilities, but those also fall into the
category of "don't do that."  Cisco sort of does a disservice to the
world by not making it abundantly clear that the PIX + IOS are good at
site-to-site and the 3000 is good at remote access, but pushing either
into the territory of the other is a bad idea.

Speaking of which: you may want to read Network World on October 28th (a
week from Monday), when a long and extensive review of VPN remote access
solutions will be published, including some head-to-head comparison of
Cisco 3000, Check Point, NetScreen, SonicWall, Avaya, Cylink, Imperito,
ActiveLane, and Secure Computing.

jms


Jerry Kemp wrote:
> 
> I picked up a Cisco PIX 501 to play with as a learning tool for VPN
> stuff.  Currently, I have it up and operational using the Cisco 3.6.x
> easyVPN client using public ip (client ip) to Cisco PIX (public ip).
> The PIX is running 6.2(2).  Also, I do not have the 3des license, only
> des.
> 
> When the Cisco VPN client is coming from behind a NAT/PAT source, I can
> connect to the PIX (still public ip), but no traffic ever makes it back
> to me.  I have determined this via the stats in the VPN client.
> 
> Can anyone point me to URL where I can RTFM on Cisco PIX VPN's and
> NAT/PAT?  I have spent more time than I care to admin on CCO searching
> for something like this.
> 
> Thanks,
> 
> Jerry
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice)  +1 520 324 0495 (FAX)
jms at Opus1.COM    http://www.opus1.com/jms    Opus One
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2082 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20021019/cad298fd/attachment.bin 


More information about the VPN mailing list