[c-nsp] How do I get VPN access through a PIX
Andrew Yourtchenko
ayourtch at gmail.com
Wed Oct 12 05:01:41 EDT 2005
Scott,
If the endpoints are Cisco gear, they should support NAT-T in any code
that is under ~1yr old - in which case you need to ensure it is
allowed in the configuration, and ensure that the UDP 500/4500 can get
NAT-ed when going out.
Both support for NAT-T "isakmp nat-traversal" - for the to-the-box
connections, and the heuristic to 'perform the PAT' of the
NAT-T-unaware IPSEC through the PAT - "fixup protocol esp-ike" (off by
default) - were added in 6.3.1.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn634.htm#wp67757
But as per above - this is mostly irrelevant piece of info, just for
the sake of records. NAT-T-capable boxes can do IPSEC over anything
that can PAT the UDP traffic, which means PIX 4.x should work with
that as well :-)
thanks,
andrew
On 10/11/05, Voll, Scott <Scott.Voll at wesd.org> wrote:
> Anything for pix FOS 6.3?
>
> Scott
More information about the cisco-nsp
mailing list