[ previous ] [ next ] [ threads ]
 
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  "'m0n0wall at lists dot m0n0 dot ch'" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] MonoWall and PIX
 Date:  Wed, 19 Apr 2006 00:28:16 +0200
You can use NAT on the m0n0wall but you will need to configure NAT-T on the PIX.
If you want to run NAT-T you need to allow UDP-4500 through the m0n0wall.
This would work.

The Cisco alternative would be the VPN-Concentrator (3000 series) which allows 
IPsec over TCP (default is TCP-10000) and is not affected by NAT.

Daniele

Alex Randjelovic wrote:
> Thank you for your reply.
> I don't think PIX will support PPTP. Also, if upstream monowall provides
> NAT, will IPSec be able to go through NAT and terminate to downstream
> PIX?
> One more question. If I configure OPT interface on upstream monowall to
> be in bridge mode with WAN interface, would I need one public IP address
> for monowall WAN interface, and one for PIX?
> 
> Alex
> 
> -----Original Message-----
> From: Lee Sharp [mailto:leesharp at hal dash pc dot org] 
> Sent: Monday, April 17, 2006 1:30 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] MonoWall and PIX
> 
> From: "Alex Randjelovic" <alexr at atnetplus dot com>
> 
>>I have interesting challenge. Our company has cable Internet line with
>>single static IP address. I need to setup monowall connected to the
>>cable line, and after monowall PIX 501 that will terminate VPN
>>connections and provide Internet access for LAN users. Between
> 
> monowall
> 
>>and PIX there will be DMZ, providing wireless clients with Internet
>>access (via wireless AP). Unfortunately, company requirement is to
>>terminate VPN connections on the PIX, not monowall.
> 
> 
>>To be able to setup PIX as VPN device, I have to pass all traffic from
>>monowall to PIX. I don't think bridge mode would work, because there
> 
> is
> 
>>only 1 public IP address.
> 
> 
> Under VPN -> PPTP, check "Redirect incoming PPTP connections to:" and it
> 
> works.  Unless you are under IPsec, and I haven't tried that one.
> 
>                         Lee 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

-- 



	best regards

------------------------------------------------------------------
Daniele Guazzoni
Senior Network Engineer, CCNA, CCNP

Ackersteinstrasse 203
CH-8049 Zurich
------------------------------------------------------------------
"Destiny is not a matter of chance, it is a matter of choice;
it is not a thing to be waited for, it is a thing to be achieved."
					William Jennings Bryan

GPG Fingerprint: 46EF FB0A A405 659F FB63 860B 6059 7A22 F58E 830E


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.