From: d.vndkshn@verizon.net
Date: Tue Jan 14 2003 - 02:34:22 GMT-3
Not sure if the original intention was to do this or not, but had an interesting conversation with Cisco today regarding VPNs and the PIX.
The meat of the issue that potentially applies to this thread:
Currently, IPSEC over TCP is only supported with their Unity client, and is not supported at all on the PIX, forcing the use of a VPN concentrator. However, PIX 6.3 is due out in June (again, per Cisco) which will support IPSEC over TCP.
While not a VPN guru, my understanding for the need to support IPSEC over TCP occurs when the client end is behind a firewall (not the PIX that the IPSEC will terminate to). That sound correct to everyone?
>
> From: "Sam Munzani" <sam@munzani.com>
> Date: 2003/01/07 Tue PM 02:49:44 CST
> To: "kurt kruegel" <kurt@cybernex.net>
> CC: "???Roger" <roger@sysage.com.cn>, <ccielab@groupstudy.com>
> Subject: Re: VPN ACROSS PIX
>
> My post was, for IPSEC standard it will not work with PAT. VPN 3030 is different animal and uses NAT-T on top of IPSEC standard RFC. If you use any standard based IPSEC client for VPN(e.g. Safenet) it will not work with PAT for sure.
>
> Sam
>
> > hmmmm i've been using ipsec/nat over udp/10000 on a 3030
> > we've only opened udp/500 for ike and udp/1000 for nat-t in out dmz
> > my pix 501 is behind my dsl and works like a charm
> > i can even run 2 vpn sessions with 3.6.3 client
> > i believe udp/10000 was the default and you had to configure manual ipsec/tcp in the client
> > i think they've begun to tinker with a nat-t autodetect as well.
> >
> > Sam Munzani wrote:
> >
> > > Look at the link below.
> > >
> > > http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration_example09186a008010edf4.shtml
> > >
> > > Currently they support only Cisco Unity client with VPN concentrators for NAT-T.
> > >
> > > Sam
> > > > what about ipsec/nat traversal ?
> > > > works fine on my 501
> > > >
> > > > Sam Munzani wrote:
> > > >
> > > > > correct,
> > > > > And
> > > > > access-list 23 permit esp any host VPN-CLIENT
> > > > > Then
> > > > > static (inside, outside) legal-ip vpn-client-lan-ip
> > > > >
> > > > > This should do it.
> > > > >
> > > > > Sam
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "???Roger" <roger@sysage.com.cn>
> > > > > To: "Sam Munzani" <sam@munzani.com>; <ccielab@groupstudy.com>
> > > > > Sent: Monday, January 06, 2003 7:43 PM
> > > > > Subject: ??: VPN ACROSS PIX
> > > > >
> > > > > Your means that I should use command :''access-list 23 permit udp any host(vpn client ) eq 500
> > > > >
> > > > > -----????-----
> > > > > ???: Sam Munzani [mailto:sam@munzani.com]
> > > > > ????: 2003?1?7? 9:35
> > > > > ???: ???Roger; ccielab@groupstudy.com
> > > > > ??: Re: VPN ACROSS PIX
> > > > >
> > > > > You can do ipsec vpn 3 different ways.
> > > > > 1. ESP(Encapsulated Security Payload). This method encrypts payload only not header.
> > > > > 2. AH(Authentication Header). This method doesn't encrypt payload but generates a hash for full packet. This method does not work with NAT.
> > > > > 3. ESP & AH both.
> > > > >
> > > > > All the methods of IPSEC doesn't work with PAT. Only method 1 works with 1 to 1 NAT. For that to work properly you need to open up Protocol ESP and UDP/500(if you are doing isakmp).
> > > > >
> > > > > Sam
> > > > >
> > > > > Hi sam
> > > > > because I am so poor in vpn can you tell me more about why open up inbound ESP and vpn use udp/500 not tcp
> > > > > "inbound ESP" what's means ;
> > > > >
> > > > > -----????-----
> > > > > ???: Sam Munzani [mailto:sam@munzani.com]
> > > > > ????: 2003?1?6? 23:03
> > > > > ???: ???Roger; ccielab@groupstudy.com
> > > > > ??: Re: VPN ACROSS PIX
> > > > >
> > > > > VPN client does not work when you do PAT. If you are already doing NAT, open up inbound ESP, UDP/500 and you would be fine.
> > > > >
> > > > > Sam Munzani
> > > > > CCIE # 6479 (R&S, Security)
> > > > >
> > > > > >
> > > > > > I want to configure vpn client (win2000/win98) connect VPN gateway (win2000
> > > > > > server ) across pix515e(ur)
> > > > > > I try to do !But I failure what I should to do in pix !how to config pix 515e
> > > > > >
> > > > > > Vpn client (win2000/win98)--------**PIX515e ----------------------**vpn
> > > > > > gateway (win2000 server)
> > > > > >
> > > > > > Pix configure
> > > > > > PIX Version 6.2(2)
> > > > > > nameif ethernet0 outside security0
> > > > > > nameif ethernet1 inside security100
> > > > > > enable password fmAN7Xt.r3eoK4vC encrypted
> > > > > > passwd aXha9uJboq3B.Dje encrypted
> > > > > > hostname pixfirewall
> > > > > > fixup protocol ftp 21
> > > > > > fixup protocol http 80
> > > > > > fixup protocol h323 h225 1720
> > > > > > fixup protocol h323 ras 1718-1719
> > > > > > fixup protocol ils 389
> > > > > > fixup protocol rsh 514
> > > > > > fixup protocol rtsp 554
> > > > > > fixup protocol sqlnet 1521
> > > > > > fixup protocol sip 5060
> > > > > > fixup protocol skinny 2000
> > > > > > no fixup protocol smtp 25
> > > > > > names
> > > > > > pager lines 24
> > > > > > logging on
> > > > > > interface ethernet0 auto
> > > > > > interface ethernet1 auto
> > > > > > mtu outside 1500
> > > > > > mtu inside 1500
> > > > > > ip address outside 211.157.16.69 255.255.255.248
> > > > > > ip address inside 192.168.0.253 255.255.255.0
> > > > > > ip audit info action alarm
> > > > > > ip audit attack action alarm
> > > > > > pdm history enable
> > > > > > arp timeout 14400
> > > > > > global (outside) 1 211.157.16.65
> > > > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > > > > static (inside,outside) 211.157.16.66 192.168.0.101 n
> > > > > > access-group 2 in interface outside
> > > > > > route outside 0.0.0.0 0.0.0.0 5.0.0.2 1
> > > > > > timeout xlate 3:00:00
> > > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> > > > > > p 0:30:00 sip_media 0:02:00
> > > > > > timeout uauth 0:05:00 absolute
> > > > > > aaa-server TACACS+ protocol tacacs+
> > > > > > aaa-server RADIUS protocol radius
> > > > > > aaa-server LOCAL protocol local
> > > > > > http server enable
> > > > > > http 192.168.0.135 255.255.255.255 inside
> > > > > > no snmp-server location
> > > > > > no snmp-server contact
> > > > > > snmp-server community public
> > > > > > no snmp-server enable traps
> > > > > > floodguard enable
> > > > > > no sysopt route dnat
> > > > > > telnet 192.168.0.131 255.255.255.255 inside
> > > > > > telnet 192.168.0.135 255.255.255.255 inside
> > > > > > telnet 192.168.0.233 255.255.255.255 inside
> > > > > > telnet timeout 5
> > > > > > ssh timeout 5
> > > > > > terminal width 80
> > > > > > Cryptochecksum:41eaae1aa8a0d3491d88baa8d2d07362
> > > > > > : end
> > > > > > pixfirewall#
> > > > > > ------------------------------------------
> > > > > > BEST WISH WITH YOU !!!
> > > > > > Sysage Group/Beijing Cyberplus Tech. Co.,Ltd.
> > > > > > Tel : (86-21) 3308-0238 #135
> > > > > > Fax : (86-21) 6384-3377
> > > > > > E-mail: ROGER@SYSAGE.COM.CN <mailto:ROGER@SYSAGE.COM.CN>
> > > > > > .
> > > > > .
> .
.
This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:48 GMT-3