From: Chad Marsh (chad@xxxxxx)
Date: Thu Aug 31 2000 - 13:30:57 GMT-3
Comments inline
----- Original Message -----
From: "Sam Munzani" <sam@chinet.com>
To: "ccielab Groupstudy" <ccielab@groupstudy.com>
Sent: Thursday, August 31, 2000 8:03 AM
Subject: PIX VPN questions
> Hi Group,
>
> A Few VPN questions keeping IPSEC in mind.
>
> 1. If you are talking to remote PIX firewall using client VPN and you are
> sitting behind another flavor of firewall, what ports do you need to open
> in order for the VPN client to work?
UDP port 500 for IKE, IP Protocol #50 for ESP, and if used, IP Protocol #51
for AH.
> 2. If the firewall on your side is doing PAT, will VPN client work talking
> to remote PIX unit?
Yes but, only if you have one client. Since the firewall is translating all
internal requests to one external address, the remote PIX only sees the
external address using IP Protocol #50 (ESP has no port numbers).
So if a second client were to send a request, the PIX would think it is the
original client wanting to re-negotiate the session, and it would generate
new keys. Now the second client is connected, but the original client got
bumped off. (This is from experience with this exact scenario with clients
behind a Linux firewall connecting to a remote PIX).
> 3. For site to site will DHCP work if you are using 5.2 beta code? 5.2
> Beta does support DHCP address on public address and PAT behind that
> address. I have a DSL site with DHCP address needs to be connected to main
> site.
Don't know on that one, but would like to. Basically are you asking if in
5.2 will the PIX forward/convert a DHCP broadcast to a unicast and send it
out, like the 'ip helper' command in IOS? I had asked Cisco why the PIX
couldn't do that before, and they said it was a forthcoming feature...
Chad Marsh
CCIE # 5185
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:33 GMT-3