From: kurt kruegel (kurt@cybernex.net)
Date: Tue Jan 07 2003 - 14:19:49 GMT-3
what about ipsec/nat traversal ?
works fine on my 501
Sam Munzani wrote:
> correct,
> And
> access-list 23 permit esp any host VPN-CLIENT
> Then
> static (inside, outside) legal-ip vpn-client-lan-ip
>
> This should do it.
>
> Sam
>
> ----- Original Message -----
> From: "???Roger" <roger@sysage.com.cn>
> To: "Sam Munzani" <sam@munzani.com>; <ccielab@groupstudy.com>
> Sent: Monday, January 06, 2003 7:43 PM
> Subject: ??: VPN ACROSS PIX
>
> Your means that I should use command :''access-list 23 permit udp any host(vpn client ) eq 500
>
> -----????-----
> ???: Sam Munzani [mailto:sam@munzani.com]
> ????: 2003?1?7? 9:35
> ???: ???Roger; ccielab@groupstudy.com
> ??: Re: VPN ACROSS PIX
>
> You can do ipsec vpn 3 different ways.
> 1. ESP(Encapsulated Security Payload). This method encrypts payload only not header.
> 2. AH(Authentication Header). This method doesn't encrypt payload but generates a hash for full packet. This method does not work with NAT.
> 3. ESP & AH both.
>
> All the methods of IPSEC doesn't work with PAT. Only method 1 works with 1 to 1 NAT. For that to work properly you need to open up Protocol ESP and UDP/500(if you are doing isakmp).
>
> Sam
>
> Hi sam
> because I am so poor in vpn can you tell me more about why open up inbound ESP and vpn use udp/500 not tcp
> "inbound ESP" what's means ;
>
> -----????-----
> ???: Sam Munzani [mailto:sam@munzani.com]
> ????: 2003?1?6? 23:03
> ???: ???Roger; ccielab@groupstudy.com
> ??: Re: VPN ACROSS PIX
>
> VPN client does not work when you do PAT. If you are already doing NAT, open up inbound ESP, UDP/500 and you would be fine.
>
> Sam Munzani
> CCIE # 6479 (R&S, Security)
>
> >
> > I want to configure vpn client (win2000/win98) connect VPN gateway (win2000
> > server ) across pix515e(ur)
> > I try to do !But I failure what I should to do in pix !how to config pix 515e
> >
> > Vpn client (win2000/win98)--------**PIX515e ----------------------**vpn
> > gateway (win2000 server)
> >
> > Pix configure
> > PIX Version 6.2(2)
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password fmAN7Xt.r3eoK4vC encrypted
> > passwd aXha9uJboq3B.Dje encrypted
> > hostname pixfirewall
> > fixup protocol ftp 21
> > fixup protocol http 80
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol ils 389
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sqlnet 1521
> > fixup protocol sip 5060
> > fixup protocol skinny 2000
> > no fixup protocol smtp 25
> > names
> > pager lines 24
> > logging on
> > interface ethernet0 auto
> > interface ethernet1 auto
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside 211.157.16.69 255.255.255.248
> > ip address inside 192.168.0.253 255.255.255.0
> > ip audit info action alarm
> > ip audit attack action alarm
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 211.157.16.65
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) 211.157.16.66 192.168.0.101 n
> > access-group 2 in interface outside
> > route outside 0.0.0.0 0.0.0.0 5.0.0.2 1
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> > p 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server RADIUS protocol radius
> > aaa-server LOCAL protocol local
> > http server enable
> > http 192.168.0.135 255.255.255.255 inside
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > floodguard enable
> > no sysopt route dnat
> > telnet 192.168.0.131 255.255.255.255 inside
> > telnet 192.168.0.135 255.255.255.255 inside
> > telnet 192.168.0.233 255.255.255.255 inside
> > telnet timeout 5
> > ssh timeout 5
> > terminal width 80
> > Cryptochecksum:41eaae1aa8a0d3491d88baa8d2d07362
> > : end
> > pixfirewall#
> > ------------------------------------------
> > BEST WISH WITH YOU !!!
> > Sysage Group/Beijing Cyberplus Tech. Co.,Ltd.
> > Tel : (86-21) 3308-0238 #135
> > Fax : (86-21) 6384-3377
> > E-mail: ROGER@SYSAGE.COM.CN <mailto:ROGER@SYSAGE.COM.CN>
> > .
> .
.
This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:44 GMT-3