VPN Setup on Cisco 827 router/ PIX 506E firewall

Posted on 2006-06-05
Last Modified: 2010-04-12
It has been a long time since I have done any Cisco work and I am trying to setup VPN access to our corporate LAN for remote users who will be using Cisco VPN software client.
I have a Cisco 837 DSL router (which has a static IP address from the ISP) connected to a Cisco PIX506E firewall which in turn is connected to the internal LAN. Both devices can support VPN and I have activated NAT on both to increase security. I have chosen the PIX device as the VPN endpoint (easy VPN server), but the clients will have to connect to the outside interface of the DSL router. How do I get the VPN connection to the PIX from the router? I am thinking pass thru or port forwarding will be required on the router?
Question by:qseovic
    LVL 19

    Accepted Solution

    hi there

    I would allow the PIX do the natting from inside to public ip and turn off nat on the router.  The PIX will then have a public outside ip address and will now be your termination endpoint.  You say you have configured nat on both for increased security - To be honest - i don't see any real advantage in doing this from a security point of view.  A properly configured PIX is a very secure firewall that will protect your network adequately and adding nat on your edge router won't help it a lot - it will just make for more complicated configuration.

    Here is a link showing how to configure the PIX as termination endpoint for a vpn client:

    this link uses AES - replace this as necessary with your preferred encryption.

    hope this helps
    LVL 19

    Expert Comment

    Hi gseovic

    Thank you for the accept but may i ask why the C grade?  I gave you a detailed answer and you did not follow up with any further detail or questions.  

    Please read the help section on grading questions - C is the lowest you can give and generally indicates that you are not happy with the answer provided.

    Please advise if this was in error or if you used it for a reason - I see this is your first Q on EE


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
    I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now