From: martin.bodenstedt@gmx.de   
      
   Ketta wrote:   
      
   > We have a pix firewall and we want to be able to allow L2TP VPN connections   
   > out for our users.  If we map an internal system to a valid external IP   
   > address and permit 1701 UDP, 500 UDP and ESP outbound and inbound, it works.   
   > The problem is, we do not have 500 valid external addresses to provide this   
   > functionality to everyone who requires it.  If we permit the those ports   
   > incoming to our global address (the one that everyone goes out on HTTP), the   
   > VPN cannot connect.  We are missing something and my best guess from what   
   > information I can find is the following:   
      
   Excuse me,   
      
   I think You want to provide your users to VPN _in_ to your corporate   
   network.   
      
   Therefore only your corporate VPN gateway needs a fixed and routable IP   
     address. The clients can use dynamic addresses (that is addresses   
   provided them by their isp).   
      
   For L2TP you only need UDP port 1701   
      
   --   
   Martin Bodenstedt   
      
   www.landtag-bw.de / www.die-bodenstedts.de   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)