From: Sam Munzani (sam@munzani.com)
Date: Thu May 15 2003 - 18:43:06 GMT-3
You are absolutely right Chris.
After connection the IP subnet mask I get for the VPN adapter has /16 mask.
Fortunately I don't have that /16 used anywhere in my network otherwise that
would create a problem.
Sam
> Thanks Sam for the thought. The 4.x client on 6.3.1 seems to be panning
> out well and the customer doesn't gripe that his "fast switch(?)" on XP
> is broken any more. Furthermore, I have not had the timeout issue yet.
>
> My big problem is the customer has dialup through AT&T. Dialup users
> are assigned all sorts of weird addresses but will always appear as
> 12.x.x.x on the dial-up client. The VPN may be coming from a dial-pool
> partner.
>
> Well what this means is there is NAT going on somewhere. If the NAT
> blocks certain traffic and unless it is true 1:1 NAT and not PAT you are
> not going to get a traditional IPSEC connnection. Generally this is why
> I make exceptions in my pix configs for the UDP/500 and IP/50.
>
> This was the very big selling point of the VPN 3000 series boxes, we
> could do the IPSEC over UDP.
>
> This is why I was looking to find if anyone found the explicit "turn
> this on" switch.
>
>
> ONE BIG PROBLEM I DID RUN ACROSS. In the PIX you build your SA's in
> access lists. This gets sent to the client and your ip pool and its
> subnet come across just fine. However, the 4.x client assigns a
> classful subnetmask to you.
>
> So for example, I had 172.23.230.192 255.255.255.192 as my subnet in the
> SA. I receive an ip address from the pool - 172.12.230.193 with a
> netmask of 255.255.0.0. You too can see this if you do an ipconfig
> /all.
>
> Thanks for listening.
>
>
> -----Original Message-----
> From: Sam Munzani [mailto:sam@munzani.com]
> Sent: Thursday, May 15, 2003 7:23 AM
> To: Chris Johnston; ccielab@groupstudy.com
> Cc: cciesecurity@yahoogroups.com
> Subject: Re: OT - UDP1000 VPN on PIX 6.3.1
>
>
> Chris,
>
> I have configured NAT-T on 6.3.1 and it uses UDP/4000. Worked great with
> 3.6.4 client. Recently I upgraded my client to 4.01 under w2k and
> upgraded PIX to AES license. Ever since I am having weird issues. After
> first few minutes of passing traffic across the VPN, it stops and VPN
> times out. I didn't have time to go back to my old client. I tried going
> back to PIX with DES license and it didn't solve my problem.
>
> I will let you know how it goes with old client. 4.01 might work well
> under XP but don't have XP on my laptop.
>
> Thanks,
> Sam Munzani
> CCIE # 6479 (R&S, Security)
>
>
> > Hello everyone;
> >
> > Has anyone tinkered with the NAT Transversal VPN on the new PIX 6.3.1
> > release? It's supposed to be in there (somewhere) but I'll be danged
> > if I can find explicit documentation on how to enable it.
> >
> > Have you also noticed that the new VPN client 4.01 is out? It
> > actually works with the WinXP easy login since it installs a driver
> > vs. a shim into the OS.
> >
> > Chris Johnston
> > 714-306-5746
> > 949-653-8819 (fax)
> >
> > Cannot find REALITY.SYS. Universe halted.
> > -------------------------------------------------------------------
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:43 GMT-3