[c-nsp] Cisco VPN Concentrator
Peder at NetworkOblivion
peder at networkoblivion.com
Thu Nov 10 17:11:11 EST 2005
Yes, it is possible to put the inside interface behind a device like a
PIX and then not use the outside interface. I have one in production
like that right now. You can't do tcp nat traversal, but you can do udp
nat traversal (not sure why udp works and tcp doesn't).
As far as hairpinning, the VPN3005 allows hairpinning if you have an
internal router. What you do is set the tunnel default gateway to the
internal router. A user send a packet that should go out another vpn,
it hits the vpn, it sends it to the internal router, the internal router
sends it back to the vpn and the vpn then sends it out the other tunnel.
Ugly, but it works. If you don't have an internal router, I believe
you are SOL.
David J. Hughes wrote:
> On 11/11/2005, at 12:39 AM, Bob Fronk wrote:
>
>
>>I have done some searching and cannot find any sample configs that use
>>only one Interface on the concentrator. So I am beginning to wonder if
>>it is possible. However, since the PPTP works, I have to believe that
>>the IPSec should work if I can figure out what I have done wrong.
>
>
> Does anyone have any input on this? I've always assumed that the VPN
> 3k would reject hair-pinned packets in the same way PIX's do (well,
> have until very recently).
>
>
> David
> ...
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
--
Network stuff you didn't know....
http://www.networkoblivion.com
More information about the cisco-nsp
mailing list