From: Todd Veillette (tveillette@myeastern.com)
Date: Tue Jan 07 2003 - 21:39:45 GMT-3
Absolutely correct Sam. I suspect you are using pass-thru, Kurt,
on your 501.
-TV
----- Original Message -----
From: "Sam Munzani" <sam@munzani.com>
To: "kurt kruegel" <kurt@cybernex.net>
Cc: "???Roger" <roger@sysage.com.cn>; <ccielab@groupstudy.com>
Sent: Tuesday, January 07, 2003 3:49 PM
Subject: Re: VPN ACROSS PIX
> My post was, for IPSEC standard it will not work with PAT. VPN 3030 is
different animal and uses NAT-T on top of IPSEC standard RFC. If you use any
standard based IPSEC client for VPN(e.g. Safenet) it will not work with PAT
for sure.
>
> Sam
>
> > hmmmm i've been using ipsec/nat over udp/10000 on a 3030
> > we've only opened udp/500 for ike and udp/1000 for nat-t in out dmz
> > my pix 501 is behind my dsl and works like a charm
> > i can even run 2 vpn sessions with 3.6.3 client
> > i believe udp/10000 was the default and you had to configure manual
ipsec/tcp in the client
> > i think they've begun to tinker with a nat-t autodetect as well.
> >
> > Sam Munzani wrote:
> >
> > > Look at the link below.
> > >
> > >
http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration
_example09186a008010edf4.shtml
> > >
> > > Currently they support only Cisco Unity client with VPN concentrators
for NAT-T.
> > >
> > > Sam
> > > > what about ipsec/nat traversal ?
> > > > works fine on my 501
> > > >
> > > > Sam Munzani wrote:
> > > >
> > > > > correct,
> > > > > And
> > > > > access-list 23 permit esp any host VPN-CLIENT
> > > > > Then
> > > > > static (inside, outside) legal-ip vpn-client-lan-ip
> > > > >
> > > > > This should do it.
> > > > >
> > > > > Sam
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "???Roger" <roger@sysage.com.cn>
> > > > > To: "Sam Munzani" <sam@munzani.com>; <ccielab@groupstudy.com>
> > > > > Sent: Monday, January 06, 2003 7:43 PM
> > > > > Subject: ??: VPN ACROSS PIX
> > > > >
> > > > > Your means that I should use command :''access-list 23 permit udp
any host(vpn client ) eq 500
> > > > >
> > > > > -----????-----
> > > > > ???: Sam Munzani [mailto:sam@munzani.com]
> > > > > ????: 2003?1?7? 9:35
> > > > > ???: ???Roger; ccielab@groupstudy.com
> > > > > ??: Re: VPN ACROSS PIX
> > > > >
> > > > > You can do ipsec vpn 3 different ways.
> > > > > 1. ESP(Encapsulated Security Payload). This method encrypts
payload only not header.
> > > > > 2. AH(Authentication Header). This method doesn't encrypt payload
but generates a hash for full packet. This method does not work with NAT.
> > > > > 3. ESP & AH both.
> > > > >
> > > > > All the methods of IPSEC doesn't work with PAT. Only method 1
works with 1 to 1 NAT. For that to work properly you need to open up
Protocol ESP and UDP/500(if you are doing isakmp).
> > > > >
> > > > > Sam
> > > > >
> > > > > Hi sam
> > > > > because I am so poor in vpn can you tell me more about why open up
inbound ESP and vpn use udp/500 not tcp
> > > > > "inbound ESP" what's means ;
> > > > >
> > > > > -----????-----
> > > > > ???: Sam Munzani [mailto:sam@munzani.com]
> > > > > ????: 2003?1?6? 23:03
> > > > > ???: ???Roger; ccielab@groupstudy.com
> > > > > ??: Re: VPN ACROSS PIX
> > > > >
> > > > > VPN client does not work when you do PAT. If you are already doing
NAT, open up inbound ESP, UDP/500 and you would be fine.
> > > > >
> > > > > Sam Munzani
> > > > > CCIE # 6479 (R&S, Security)
> > > > >
> > > > > >
> > > > > > I want to configure vpn client (win2000/win98) connect VPN
gateway (win2000
> > > > > > server ) across pix515e(ur)
> > > > > > I try to do !But I failure what I should to do in pix !how to
config pix 515e
> > > > > >
> > > > > > Vpn client
(win2000/win98)--------**PIX515e ----------------------**vpn
> > > > > > gateway (win2000 server)
> > > > > >
> > > > > > Pix configure
> > > > > > PIX Version 6.2(2)
> > > > > > nameif ethernet0 outside security0
> > > > > > nameif ethernet1 inside security100
> > > > > > enable password fmAN7Xt.r3eoK4vC encrypted
> > > > > > passwd aXha9uJboq3B.Dje encrypted
> > > > > > hostname pixfirewall
> > > > > > fixup protocol ftp 21
> > > > > > fixup protocol http 80
> > > > > > fixup protocol h323 h225 1720
> > > > > > fixup protocol h323 ras 1718-1719
> > > > > > fixup protocol ils 389
> > > > > > fixup protocol rsh 514
> > > > > > fixup protocol rtsp 554
> > > > > > fixup protocol sqlnet 1521
> > > > > > fixup protocol sip 5060
> > > > > > fixup protocol skinny 2000
> > > > > > no fixup protocol smtp 25
> > > > > > names
> > > > > > pager lines 24
> > > > > > logging on
> > > > > > interface ethernet0 auto
> > > > > > interface ethernet1 auto
> > > > > > mtu outside 1500
> > > > > > mtu inside 1500
> > > > > > ip address outside 211.157.16.69 255.255.255.248
> > > > > > ip address inside 192.168.0.253 255.255.255.0
> > > > > > ip audit info action alarm
> > > > > > ip audit attack action alarm
> > > > > > pdm history enable
> > > > > > arp timeout 14400
> > > > > > global (outside) 1 211.157.16.65
> > > > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > > > > static (inside,outside) 211.157.16.66 192.168.0.101 n
> > > > > > access-group 2 in interface outside
> > > > > > route outside 0.0.0.0 0.0.0.0 5.0.0.2 1
> > > > > > timeout xlate 3:00:00
> > > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> > > > > > p 0:30:00 sip_media 0:02:00
> > > > > > timeout uauth 0:05:00 absolute
> > > > > > aaa-server TACACS+ protocol tacacs+
> > > > > > aaa-server RADIUS protocol radius
> > > > > > aaa-server LOCAL protocol local
> > > > > > http server enable
> > > > > > http 192.168.0.135 255.255.255.255 inside
> > > > > > no snmp-server location
> > > > > > no snmp-server contact
> > > > > > snmp-server community public
> > > > > > no snmp-server enable traps
> > > > > > floodguard enable
> > > > > > no sysopt route dnat
> > > > > > telnet 192.168.0.131 255.255.255.255 inside
> > > > > > telnet 192.168.0.135 255.255.255.255 inside
> > > > > > telnet 192.168.0.233 255.255.255.255 inside
> > > > > > telnet timeout 5
> > > > > > ssh timeout 5
> > > > > > terminal width 80
> > > > > > Cryptochecksum:41eaae1aa8a0d3491d88baa8d2d07362
> > > > > > : end
> > > > > > pixfirewall#
> > > > > > ------------------------------------------
> > > > > > BEST WISH WITH YOU !!!
> > > > > > Sysage Group/Beijing Cyberplus Tech. Co.,Ltd.
> > > > > > Tel : (86-21) 3308-0238 #135
> > > > > > Fax : (86-21) 6384-3377
> > > > > > E-mail: ROGER@SYSAGE.COM.CN <mailto:ROGER@SYSAGE.COM.CN>
> > > > > > .
> > > > > .
> .
.
This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:44 GMT-3