Pix to Pix tunnel through NAT

Discussion in 'Cisco' started by Jose Ros, Oct 19, 2004.

  1. Jose Ros

    Jose Ros Guest

    Can I do a pix to pix ipsec tunnel like this?
    PIX----NAT_device----INTERNET----PIX
     
    Jose Ros, Oct 19, 2004
    #1
    1. Advertisements

  2. Jose Ros

    mcaissie Guest

    Yes,

    on the NAT_Device you will need to create a static translation for the
    internal PIX. And you will have to permit the ipsec traffic from the
    external PIX to the translated address;

    for example ;
    isakmp : udp 500
    esp: protocol 50
    ah: protocol 51
     
    mcaissie, Oct 19, 2004
    #2
    1. Advertisements

  3. ::> Can I do a pix to pix ipsec tunnel like this?
    :> PIX----NAT_device----INTERNET----PIX

    :Yes,

    :eek:n the NAT_Device you will need to create a static translation for the
    :internal PIX. And you will have to permit the ipsec traffic from the
    :external PIX to the translated address;

    There is another approach possible as of 6.3(2): turn on NAT traversal.
    The static translation will then only be necessary on the NAT device
    if the -other- PIX needs to be able to initiate sessions.

    If the NAT device does any filtering, then to support NAT Traversal, it
    will be necessary to allow through UDP 4500 in both directions, along
    with different dynamically-determined ports in each direction.
     
    Walter Roberson, Oct 19, 2004
    #3
  4. Jose Ros

    John Smith Guest

    nothing wrong w/ previous answers, but why isn't your pix doing that
    nat'ing?
     
    John Smith, Oct 20, 2004
    #4
  5. Jose Ros

    Rik Bain Guest

    FWIW, if both UDP/500 and UDP/4500 are statically mapped, then there
    will be no dynamic ports. All traffic will occur over 500/4500.
     
    Rik Bain, Oct 20, 2004
    #5
  6. Jose Ros

    Jose Ros Guest

    Thanks for the answers guys. The NAT device is a Radware Linkproof
    load balancing 3 ISPs. It does not do any filtering whatsoever so I
    think I'm good.
     
    Jose Ros, Oct 21, 2004
    #6
  7. Jose Ros

    an admin too Guest

    We're using the Linkproof, too, and no problems with our VPN. You have to
    setup rules so that the VPN stays on the one range from one of your ISP's.
    We can connect VPN clients through the others ISP's but the point-to-points
    don't work so well. However, when if we put a 'branch' unit at the remote
    site the VPN will be load balanced. If only the pix would support peers by
    URL....

    Email me if you would like more info on my Linkproof setup. I'm very
    interested in seeing how others are using the device.
     
    an admin too, Oct 21, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.