Allowing Multiple IPSec VPN's through PIX

[signat]

Hi all,

The issue I am running into is one that I am not sure can be solved. I have a PIX 515 that is PAT-ing the outside interface address for the inside users. The PIX is a headend device connecting to the internet on the outside interface.

The goal I am hoping to achieve is to allow inside users to access, from their computers, a vendor’s IPSec VPN device AT THE SAME TIME without having to make static NAT translations for their local IP address. I only have limited Public IP’s and I was wondering if there is currently away to configure the PIX to allow multiple IPSec pass-through. I know that some time ago this was an issue with the PIX. And maybe only 2-3 years ago, Cisco released a newer version of IOS to do this for multiple PPTP connections. Any thoughts, or is my post confusing?

 

[themut]

Ask the vendor to configure NAT Traversal (NAT-T) on their headend device. Once they do this configuration, all IPSec traffic will flow on UDP ports 500 and 4500 solving the issue with the ESP protocol through a NAT device and you will be able to pass multiple IPSec sessions through the PIX.

 

[signat]

Ok, Just so I am clear if the vendor enables NAT-T on their edge device, do I need to add the isakmp nat-traversal in my pix config? Also, if I do, does this isakmp nat-traversal command stand alone or does it need to be a part of an isakmp policy that is enabled on an interface?

 

[themut]

You don't need to enable anything on your PIX, it should only be configured on the headend device. The purpose is that your clients negotiate the tunnel with the PIX using NAT-T and as a result of this negotiation (between the IPSec clients and the PIX), the ESP protocol will be encapsulted on a UDP packet.