G
Guest
Guest
Archived from groups: comp.dcom.vpn (More info?)
We have a pix firewall and we want to be able to allow L2TP VPN connections
out for our users. If we map an internal system to a valid external IP
address and permit 1701 UDP, 500 UDP and ESP outbound and inbound, it works.
The problem is, we do not have 500 valid external addresses to provide this
functionality to everyone who requires it. If we permit the those ports
incoming to our global address (the one that everyone goes out on HTTP), the
VPN cannot connect. We are missing something and my best guess from what
information I can find is the following:
set nat entry add {internal device address} 1701 {outside NAT address} 1701
udp
That looks like it will still only work for one address, is this the right
entry to make or are we completely off. Please any assistance would be
appreciated. Clients have to be able to connect to this VPN from behind the
NAT firewall.
TIA
KeTTA
We have a pix firewall and we want to be able to allow L2TP VPN connections
out for our users. If we map an internal system to a valid external IP
address and permit 1701 UDP, 500 UDP and ESP outbound and inbound, it works.
The problem is, we do not have 500 valid external addresses to provide this
functionality to everyone who requires it. If we permit the those ports
incoming to our global address (the one that everyone goes out on HTTP), the
VPN cannot connect. We are missing something and my best guess from what
information I can find is the following:
set nat entry add {internal device address} 1701 {outside NAT address} 1701
udp
That looks like it will still only work for one address, is this the right
entry to make or are we completely off. Please any assistance would be
appreciated. Clients have to be able to connect to this VPN from behind the
NAT firewall.
TIA
KeTTA