[c-nsp] Cisco VPN Concentrator

Bob Fronk bfronk at davishelliot.com
Thu Nov 10 10:56:13 EST 2005


I have those ports open to the Concentrator.

I have also enable nat-t on the client and concentrator and still get
the same errors.

I think I will just hang the concentrator off a public IP on the edge
router and be done with it.

Bob Fronk, MCSE
bfronk at davishelliot.com   
 
 
 

-----Original Message-----
From: Stevens, Brant I. [mailto:brant.stevens at hcmny.com] 
Sent: Thursday, November 10, 2005 10:53 AM
To: kevin gannon; Bob Fronk
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cisco VPN Concentrator

I believe to use NAT Traversal, you will need to open UDP port 500 to
the concentrator as well.  IIRC, doesn't the Cisco client also use port
4500?

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kevin gannon
Sent: Thursday, November 10, 2005 10:24 AM
To: Bob Fronk
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco VPN Concentrator

Dont have a box in front of me but if you are using clients that support
it I would advise using NAT Traversal:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/config/t
unnel.htm#wp1029463

Regards
Kevin

On 11/10/05, Bob Fronk <bfronk at davishelliot.com> wrote:
> How might I do that?
>
> Bob Fronk, MCSE
> bfronk at davishelliot.com
>
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M.
> Streiner
> Sent: Thursday, November 10, 2005 10:09 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco VPN Concentrator
>
> On Thu, 10 Nov 2005, Bob Fronk wrote:
>
> > Cisco VPN 3000 Concentrator.  If you are familiar with this product,
> you
> > know that it has two interfaces, one private and one public.  I do 
> > not wish to give this device a public internet address.  I want to 
> > place
> it
> > behind my PIX.
>
> If I read your message correctly, you will run into problems because 
> IPSEC does not like being NAT'd.  Anything that scribbles on the 
> headers of an
>
> IP packet (like NAT) will be problematic with IPSEC since the packet 
> checksum would change.  You can try to work around this using NAT 
> Transparency.
>
> jms
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




This e-mail message is intended only for the named recipient(s) above.
It may contain confidential information. If you are not the intended
recipient you are hereby notified that any dissemination, distribution
or copying of this e-mail and any attachment(s) is strictly prohibited.
If you have received this e-mail in error, please immediately notify the
sender by replying to this e-mail and delete the message and any
attachment(s) from your system. Thank you.




More information about the cisco-nsp mailing list