Re: VPN ACROSS PIX

From: kurt kruegel (kurt@cybernex.net)
Date: Tue Jan 07 2003 - 17:34:45 GMT-3

hmmmm i've been using ipsec/nat over udp/10000 on a 3030
we've only opened udp/500 for ike and udp/1000 for nat-t in out dmz
my pix 501 is behind my dsl and works like a charm
i can even run 2 vpn sessions with 3.6.3 client
i believe udp/10000 was the default and you had to configure manual ipsec/tcp in the client
i think they've begun to tinker with a nat-t autodetect as well.

Sam Munzani wrote:

> Look at the link below.
>
> http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration_example09186a008010edf4.shtml
>
> Currently they support only Cisco Unity client with VPN concentrators for NAT-T.
>
> Sam
> > what about ipsec/nat traversal ?
> > works fine on my 501
> >
> > Sam Munzani wrote:
> >
> > > correct,
> > > And
> > > access-list 23 permit esp any host VPN-CLIENT
> > > Then
> > > static (inside, outside) legal-ip vpn-client-lan-ip
> > >
> > > This should do it.
> > >
> > > Sam
> > >
> > > ----- Original Message -----
> > > From: "???Roger" <roger@sysage.com.cn>
> > > To: "Sam Munzani" <sam@munzani.com>; <ccielab@groupstudy.com>
> > > Sent: Monday, January 06, 2003 7:43 PM
> > > Subject: ??: VPN ACROSS PIX
> > >
> > > Your means that I should use command :''access-list 23 permit udp any host(vpn client ) eq 500
> > >
> > > -----????-----
> > > ???: Sam Munzani [mailto:sam@munzani.com]
> > > ????: 2003?1?7? 9:35
> > > ???: ???Roger; ccielab@groupstudy.com
> > > ??: Re: VPN ACROSS PIX
> > >
> > > You can do ipsec vpn 3 different ways.
> > > 1. ESP(Encapsulated Security Payload). This method encrypts payload only not header.
> > > 2. AH(Authentication Header). This method doesn't encrypt payload but generates a hash for full packet. This method does not work with NAT.
> > > 3. ESP & AH both.
> > >
> > > All the methods of IPSEC doesn't work with PAT. Only method 1 works with 1 to 1 NAT. For that to work properly you need to open up Protocol ESP and UDP/500(if you are doing isakmp).
> > >
> > > Sam
> > >
> > > Hi sam
> > > because I am so poor in vpn can you tell me more about why open up inbound ESP and vpn use udp/500 not tcp
> > > "inbound ESP" what's means ;
> > >
> > > -----????-----
> > > ???: Sam Munzani [mailto:sam@munzani.com]
> > > ????: 2003?1?6? 23:03
> > > ???: ???Roger; ccielab@groupstudy.com
> > > ??: Re: VPN ACROSS PIX
> > >
> > > VPN client does not work when you do PAT. If you are already doing NAT, open up inbound ESP, UDP/500 and you would be fine.
> > >
> > > Sam Munzani
> > > CCIE # 6479 (R&S, Security)
> > >
> > > >
> > > > I want to configure vpn client (win2000/win98) connect VPN gateway (win2000
> > > > server ) across pix515e(ur)
> > > > I try to do !But I failure what I should to do in pix !how to config pix 515e
> > > >
> > > > Vpn client (win2000/win98)--------**PIX515e ----------------------**vpn
> > > > gateway (win2000 server)
> > > >
> > > > Pix configure
> > > > PIX Version 6.2(2)
> > > > nameif ethernet0 outside security0
> > > > nameif ethernet1 inside security100
> > > > enable password fmAN7Xt.r3eoK4vC encrypted
> > > > passwd aXha9uJboq3B.Dje encrypted
> > > > hostname pixfirewall
> > > > fixup protocol ftp 21
> > > > fixup protocol http 80
> > > > fixup protocol h323 h225 1720
> > > > fixup protocol h323 ras 1718-1719
> > > > fixup protocol ils 389
> > > > fixup protocol rsh 514
> > > > fixup protocol rtsp 554
> > > > fixup protocol sqlnet 1521
> > > > fixup protocol sip 5060
> > > > fixup protocol skinny 2000
> > > > no fixup protocol smtp 25
> > > > names
> > > > pager lines 24
> > > > logging on
> > > > interface ethernet0 auto
> > > > interface ethernet1 auto
> > > > mtu outside 1500
> > > > mtu inside 1500
> > > > ip address outside 211.157.16.69 255.255.255.248
> > > > ip address inside 192.168.0.253 255.255.255.0
> > > > ip audit info action alarm
> > > > ip audit attack action alarm
> > > > pdm history enable
> > > > arp timeout 14400
> > > > global (outside) 1 211.157.16.65
> > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > > static (inside,outside) 211.157.16.66 192.168.0.101 n
> > > > access-group 2 in interface outside
> > > > route outside 0.0.0.0 0.0.0.0 5.0.0.2 1
> > > > timeout xlate 3:00:00
> > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> > > > p 0:30:00 sip_media 0:02:00
> > > > timeout uauth 0:05:00 absolute
> > > > aaa-server TACACS+ protocol tacacs+
> > > > aaa-server RADIUS protocol radius
> > > > aaa-server LOCAL protocol local
> > > > http server enable
> > > > http 192.168.0.135 255.255.255.255 inside
> > > > no snmp-server location
> > > > no snmp-server contact
> > > > snmp-server community public
> > > > no snmp-server enable traps
> > > > floodguard enable
> > > > no sysopt route dnat
> > > > telnet 192.168.0.131 255.255.255.255 inside
> > > > telnet 192.168.0.135 255.255.255.255 inside
> > > > telnet 192.168.0.233 255.255.255.255 inside
> > > > telnet timeout 5
> > > > ssh timeout 5
> > > > terminal width 80
> > > > Cryptochecksum:41eaae1aa8a0d3491d88baa8d2d07362
> > > > : end
> > > > pixfirewall#
> > > > ------------------------------------------
> > > > BEST WISH WITH YOU !!!
> > > > Sysage Group/Beijing Cyberplus Tech. Co.,Ltd.
> > > > Tel : (86-21) 3308-0238 #135
> > > > Fax : (86-21) 6384-3377
> > > > E-mail: ROGER@SYSAGE.COM.CN <mailto:ROGER@SYSAGE.COM.CN>
> > > > .
> > > .
.

This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:44 GMT-3