From: P729 (p729@cox.net)
Date: Wed Oct 02 2002 - 18:29:59 GMT-3
That's what I've heard and read too. Single-instances of IPSec-based VPN
clients on the inside are typically supported by mapping all IKE and ESP
traffic to the one inside address that started the IKE connection. Multiple
instances are supported by mapping the inbound SPI to the inside address
(thus limiting this to multiple connections starting on the inside only), so
the IKEs need to be snooped.
I've made numerous inquiries to the TAC regarding passthrough support (If
the lowly Linksys can do it, why not the PIX?) and thus far the responses
have ranged from "not on any IOS or PIX roadmaps" to confusion with
"transparent tunneling" (NAT-T) support (a la VPN 3000). No joy.
The only workaround I've been able to come up with is selectively NATing IKE
and ESP to a pool, setting the translation timeouts down to 5 mins. if
there's likely to be contention for the pool and NAPTing everything else,
which takes the PIX out of the picture (since it can't selectively NAT based
on anything other than IP address) and needs to be done on an IOS router.
For reference, this might be as good a place to start as any:
http://www.ietf.org/html.charters/ipsec-charter.html
Regards,
Mas Kato
https://ecardfile.com/id/mkato
----- Original Message -----
From: "Walker, Todd" <todd.walker@seurat.com>
To: "Joseph Rinehart" <jjrinehart@hotmail.com>; <ccielab@groupstudy.com>
Sent: Wednesday, October 02, 2002 12:27 PM
Subject: RE: IPSec Pass Through and NAT/PAT
This would do the trick for a single tunnel. But how does anyone perform
'IPSec passthrough' with IOS?
Does anyone have a reference to what IPSec passthrough is doing? It appears
to extend PAT to tracking SPI numbers for different VPN clients...
-----Original Message-----
From: Joseph Rinehart [mailto:jjrinehart@hotmail.com]
Sent: Wednesday, October 02, 2002 12:57 PM
To: ccielab@groupstudy.com
Subject: Re: IPSec Pass Through and NAT/PAT
I think I just figured out the answer:
http://www.cisco.com/warp/public/471/ios_pat_ipsec_tunnel.html
Howvere if anyone has additional thought, they would be welcomed.
:)
----- Original Message -----
From: Joseph Rinehart
To: ccielab@groupstudy.com
Sent: Wednesday, October 02, 2002 11:44 AM
Subject: IPSec Pass Through and NAT/PAT
This should be a fun one. I have a lab set up in a data center (6 routers
and a catalyst switch) and a smaller one set up at home (2 1601'a and a
2518).
I connect the main pod to my one at home with GRE tunnels and it works like
a
charm. One 1601 is Internet facing and does NAT/PAT for the rest of my home
network.
Not like I was surprised but I can't get my VPN client to effectively
tunnel
through to the company server when I am at home. The Linksys wireless
router
did this with no trouble by using IPSec pass through (the VPN client is
Nortel
by the way). I tried putting in some static port mappings to the interior
machine but it didn't change anything. I know the 800 series has a pass
through feature but didn't know if the 1600 12.2+ had something similar.
Any
ideas?
Joe
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:37 GMT-3