Cisco VPN Gateway: simultaneously accept IKE and forward it to another GW inbound, on same public IP

Discussion in 'Cisco' started by mountainwalker@yahoo.com, Sep 6, 2006.

  1. Guest

    Can a Cisco VPN Gateway simultaneously accept IKE and forward it to
    another GW inbound, on same public IP address? We have a customer who
    claims this is possible with Cisco. What do you think? Assume both
    the Cisco and 3rd party gateways are using the traditional UDP 500 and
    4500 for IKE and NAT-Traversal. We believe it's not possible with any
    vendor's product.

    The Cisco would have to be able to talk IKE on its public IP of
    68.98.222.222 for its own VPN policies, and forward IKE incoming to
    that same IP to an internal host 10.2.2.2 for VPNs coming in for the
    3rd-party gateway inside.


    (two different VPN peers want to do site-to-site VPN; one each with the

    Cisco and the 3rd party devices shown below in the diagram)


    |
    (internet cloud)
    |
    DSL provider network
    |
    WAN - public, dynamic, on PPPoE DSL (e.g.. 68.98.222.222)
    (Cisco)
    LAN: 10.2.2.1 /24
    |
    (some servers sit here in 10.2.2.0 /24)
    |
    WAN: 10.2.2.2
    (3rd-party IKE VPN Gateway)
    LAN: 172.29.9.193 /28
    |
    (some servers sit here in 172.29.9.192 /28)
    , Sep 6, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >Can a Cisco VPN Gateway simultaneously accept IKE and forward it to
    >another GW inbound, on same public IP address? We have a customer who
    >claims this is possible with Cisco. What do you think? Assume both
    >the Cisco and 3rd party gateways are using the traditional UDP 500 and
    >4500 for IKE and NAT-Traversal. We believe it's not possible with any
    >vendor's product.


    >(two different VPN peers want to do site-to-site VPN; one each with the
    >Cisco and the 3rd party devices shown below in the diagram)


    You were not specific about what variety of device a "VPN Gateway" is.

    The answer for the Cisco PIX running 4/5/6 series software is "NO".

    The answer for the Cisco PIX or ASA running 7 series software is
    "I don't know; maybe it was added, but I would think NO".

    The answer for the Cisco VPN 3000/5000 VPN Concentrators is
    "I don't know".

    The answer for Cisco routers is "Hmmm, possibly. If you create
    a loopback interface and attack the crypto map to it, and if you
    use policy-based routing on the IPSec packets based upon the source
    IP ranges, throwing them either at the loopback or at the further host,
    then it just might work... but I wouldn't want to wager on it."
    Walter Roberson, Sep 6, 2006
    #2
    1. Advertising

  3. Guest

    Thanks Walter. I asked about generic VPN Gateways because I wanted to
    know if there were any differences between the various ESP GW devices
    offerred by Cisco.

    Walter Roberson wrote:
    > In article <>,
    > <> wrote:
    > >Can a Cisco VPN Gateway simultaneously accept IKE and forward it to
    > >another GW inbound, on same public IP address? We have a customer who
    > >claims this is possible with Cisco. What do you think? Assume both
    > >the Cisco and 3rd party gateways are using the traditional UDP 500 and
    > >4500 for IKE and NAT-Traversal. We believe it's not possible with any
    > >vendor's product.

    >
    > >(two different VPN peers want to do site-to-site VPN; one each with the
    > >Cisco and the 3rd party devices shown below in the diagram)

    >
    > You were not specific about what variety of device a "VPN Gateway" is.
    >
    > The answer for the Cisco PIX running 4/5/6 series software is "NO".
    >
    > The answer for the Cisco PIX or ASA running 7 series software is
    > "I don't know; maybe it was added, but I would think NO".
    >
    > The answer for the Cisco VPN 3000/5000 VPN Concentrators is
    > "I don't know".
    >
    > The answer for Cisco routers is "Hmmm, possibly. If you create
    > a loopback interface and attack the crypto map to it, and if you
    > use policy-based routing on the IPSec packets based upon the source
    > IP ranges, throwing them either at the loopback or at the further host,
    > then it just might work... but I wouldn't want to wager on it."
    , Sep 7, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page