From: Jim Terry (jtixthus@attbi.com)
Date: Tue Jan 14 2003 - 16:18:12 GMT-3
You have to use IPSEC wrapped in TCP if you want to have a VPN tunnel go
thru PAT. It does not matter if the remote client is behind a firewall or
not. the big thing is if the tunnel destination on your central site is on
your protected network and you have PAT on your FW. If you want to
terminate the tunnel on the PIX you are okay. This comes into play when you
want to terminate the tunnel on the inside of your network. Most cheap home
FW allow PAT pass through but Cisco does not. If this will be allowed in
6.3 that is cool.
JT
----- Original Message -----
From: <d.vndkshn@verizon.net>
To: "Sam Munzani" <sam@munzani.com>; "kurt kruegel" <kurt@cybernex.net>
Cc: "???Roger" <roger@sysage.com.cn>; <ccielab@groupstudy.com>
Sent: Monday, January 13, 2003 9:34 PM
Subject: Re: Re: VPN ACROSS PIX
> Not sure if the original intention was to do this or not, but had an
interesting conversation with Cisco today regarding VPNs and the PIX.
>
> The meat of the issue that potentially applies to this thread:
>
> Currently, IPSEC over TCP is only supported with their Unity client, and
is not supported at all on the PIX, forcing the use of a VPN concentrator.
However, PIX 6.3 is due out in June (again, per Cisco) which will support
IPSEC over TCP.
>
> While not a VPN guru, my understanding for the need to support IPSEC over
TCP occurs when the client end is behind a firewall (not the PIX that the
IPSEC will terminate to). That sound correct to everyone?
>
>
>
>
> >
> > From: "Sam Munzani" <sam@munzani.com>
> > Date: 2003/01/07 Tue PM 02:49:44 CST
> > To: "kurt kruegel" <kurt@cybernex.net>
> > CC: "???Roger" <roger@sysage.com.cn>, <ccielab@groupstudy.com>
> > Subject: Re: VPN ACROSS PIX
> >
> > My post was, for IPSEC standard it will not work with PAT. VPN 3030 is
different animal and uses NAT-T on top of IPSEC standard RFC. If you use any
standard based IPSEC client for VPN(e.g. Safenet) it will not work with PAT
for sure.
> >
> > Sam
> >
> > > hmmmm i've been using ipsec/nat over udp/10000 on a 3030
> > > we've only opened udp/500 for ike and udp/1000 for nat-t in out dmz
> > > my pix 501 is behind my dsl and works like a charm
> > > i can even run 2 vpn sessions with 3.6.3 client
> > > i believe udp/10000 was the default and you had to configure manual
ipsec/tcp in the client
> > > i think they've begun to tinker with a nat-t autodetect as well.
> > >
> > > Sam Munzani wrote:
> > >
> > > > Look at the link below.
> > > >
> > > >
http://www.cisco.com/en/US/products/sw/secursw/ps2276/products_configuration
_example09186a008010edf4.shtml
> > > >
> > > > Currently they support only Cisco Unity client with VPN
concentrators for NAT-T.
> > > >
> > > > Sam
> > > > > what about ipsec/nat traversal ?
> > > > > works fine on my 501
> > > > >
> > > > > Sam Munzani wrote:
> > > > >
> > > > > > correct,
> > > > > > And
> > > > > > access-list 23 permit esp any host VPN-CLIENT
> > > > > > Then
> > > > > > static (inside, outside) legal-ip vpn-client-lan-ip
> > > > > >
> > > > > > This should do it.
> > > > > >
> > > > > > Sam
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "???Roger" <roger@sysage.com.cn>
> > > > > > To: "Sam Munzani" <sam@munzani.com>; <ccielab@groupstudy.com>
> > > > > > Sent: Monday, January 06, 2003 7:43 PM
> > > > > > Subject: ??: VPN ACROSS PIX
> > > > > >
> > > > > > Your means that I should use command :''access-list 23 permit
udp any host(vpn client ) eq 500
> > > > > >
> > > > > > -----????-----
> > > > > > ???: Sam Munzani [mailto:sam@munzani.com]
> > > > > > ????: 2003?1?7? 9:35
> > > > > > ???: ???Roger; ccielab@groupstudy.com
> > > > > > ??: Re: VPN ACROSS PIX
> > > > > >
> > > > > > You can do ipsec vpn 3 different ways.
> > > > > > 1. ESP(Encapsulated Security Payload). This method encrypts
payload only not header.
> > > > > > 2. AH(Authentication Header). This method doesn't encrypt
payload but generates a hash for full packet. This method does not work with
NAT.
> > > > > > 3. ESP & AH both.
> > > > > >
> > > > > > All the methods of IPSEC doesn't work with PAT. Only method 1
works with 1 to 1 NAT. For that to work properly you need to open up
Protocol ESP and UDP/500(if you are doing isakmp).
> > > > > >
> > > > > > Sam
> > > > > >
> > > > > > Hi sam
> > > > > > because I am so poor in vpn can you tell me more about why open
up inbound ESP and vpn use udp/500 not tcp
> > > > > > "inbound ESP" what's means ;
> > > > > >
> > > > > > -----????-----
> > > > > > ???: Sam Munzani [mailto:sam@munzani.com]
> > > > > > ????: 2003?1?6? 23:03
> > > > > > ???: ???Roger; ccielab@groupstudy.com
> > > > > > ??: Re: VPN ACROSS PIX
> > > > > >
> > > > > > VPN client does not work when you do PAT. If you are already
doing NAT, open up inbound ESP, UDP/500 and you would be fine.
> > > > > >
> > > > > > Sam Munzani
> > > > > > CCIE # 6479 (R&S, Security)
> > > > > >
> > > > > > >
> > > > > > > I want to configure vpn client (win2000/win98) connect VPN
gateway (win2000
> > > > > > > server ) across pix515e(ur)
> > > > > > > I try to do !But I failure what I should to do in pix !how to
config pix 515e
> > > > > > >
> > > > > > > Vpn client
(win2000/win98)--------**PIX515e ----------------------**vpn
> > > > > > > gateway (win2000 server)
> > > > > > >
> > > > > > > Pix configure
> > > > > > > PIX Version 6.2(2)
> > > > > > > nameif ethernet0 outside security0
> > > > > > > nameif ethernet1 inside security100
> > > > > > > enable password fmAN7Xt.r3eoK4vC encrypted
> > > > > > > passwd aXha9uJboq3B.Dje encrypted
> > > > > > > hostname pixfirewall
> > > > > > > fixup protocol ftp 21
> > > > > > > fixup protocol http 80
> > > > > > > fixup protocol h323 h225 1720
> > > > > > > fixup protocol h323 ras 1718-1719
> > > > > > > fixup protocol ils 389
> > > > > > > fixup protocol rsh 514
> > > > > > > fixup protocol rtsp 554
> > > > > > > fixup protocol sqlnet 1521
> > > > > > > fixup protocol sip 5060
> > > > > > > fixup protocol skinny 2000
> > > > > > > no fixup protocol smtp 25
> > > > > > > names
> > > > > > > pager lines 24
> > > > > > > logging on
> > > > > > > interface ethernet0 auto
> > > > > > > interface ethernet1 auto
> > > > > > > mtu outside 1500
> > > > > > > mtu inside 1500
> > > > > > > ip address outside 211.157.16.69 255.255.255.248
> > > > > > > ip address inside 192.168.0.253 255.255.255.0
> > > > > > > ip audit info action alarm
> > > > > > > ip audit attack action alarm
> > > > > > > pdm history enable
> > > > > > > arp timeout 14400
> > > > > > > global (outside) 1 211.157.16.65
> > > > > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > > > > > static (inside,outside) 211.157.16.66 192.168.0.101 n
> > > > > > > access-group 2 in interface outside
> > > > > > > route outside 0.0.0.0 0.0.0.0 5.0.0.2 1
> > > > > > > timeout xlate 3:00:00
> > > > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> > > > > > > p 0:30:00 sip_media 0:02:00
> > > > > > > timeout uauth 0:05:00 absolute
> > > > > > > aaa-server TACACS+ protocol tacacs+
> > > > > > > aaa-server RADIUS protocol radius
> > > > > > > aaa-server LOCAL protocol local
> > > > > > > http server enable
> > > > > > > http 192.168.0.135 255.255.255.255 inside
> > > > > > > no snmp-server location
> > > > > > > no snmp-server contact
> > > > > > > snmp-server community public
> > > > > > > no snmp-server enable traps
> > > > > > > floodguard enable
> > > > > > > no sysopt route dnat
> > > > > > > telnet 192.168.0.131 255.255.255.255 inside
> > > > > > > telnet 192.168.0.135 255.255.255.255 inside
> > > > > > > telnet 192.168.0.233 255.255.255.255 inside
> > > > > > > telnet timeout 5
> > > > > > > ssh timeout 5
> > > > > > > terminal width 80
> > > > > > > Cryptochecksum:41eaae1aa8a0d3491d88baa8d2d07362
> > > > > > > : end
> > > > > > > pixfirewall#
> > > > > > > ------------------------------------------
> > > > > > > BEST WISH WITH YOU !!!
> > > > > > > Sysage Group/Beijing Cyberplus Tech. Co.,Ltd.
> > > > > > > Tel : (86-21) 3308-0238 #135
> > > > > > > Fax : (86-21) 6384-3377
> > > > > > > E-mail: ROGER@SYSAGE.COM.CN <mailto:ROGER@SYSAGE.COM.CN>
> > > > > > > .
> > > > > > .
> > .
> .
.
This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:49 GMT-3