RE: [fw-wiz] Clients cant access pix w/ vpn from behind nat devices using the newest cisco client.

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 10/22/03

  • Next message: Scot Kreienkamp: "RE: [fw-wiz] Cisco PIX DHCP relay via IPSEC"
    To: "Vincent Martin" <VMartin@4service.net>, <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 22 Oct 2003 13:00:01 -0400
    
    

    Part of the issue is that the NAT device is changing the source ports on
    the VPN client, which causes problems for the PIX unless `isakmp
    nat-traversal` (which, as you said, is available in PIX OS 6.3) is set
    in the config. Depending on the NAT device, you may be able to
    statically map the source port based on the destination port and/or
    address. In some D-Link, Linksys, and probably other SOHO products,
    there is a feature called "IPSec Passthrough" that can be enabled. On a
    Linux or *BSD type firewall, you can do this manually. With pf, you
    want to use 'static-port'. Here is the nat rule from pf.conf on my
    OpenBSD firewall. The interface and network macros are defined
    elsewhere in the config, but you get the idea.

    nat on $ext_if from 10.0.0.247/32 to $vpn_nets -> ($ext_if) static-port

    PaulM

    -----Original Message-----
    I am having some problems connecting to a pix firewall vpn connection
    using
    the cisco client when the clients are behind a nat device to the
    internet.
    Is there a way to let them connect without giving them a routable ip
    address
    or modifying there routers at all? Have any of you ever had to get past
    this problem? Is it possible to get past this problem? I am new to pix
    but
    I have done some research. It seems that we need version 6.3 of the OS
    and
    that possibly doing nat traversal would help. All this is configured
    though. Any help would be great. Thanks a lot.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Scot Kreienkamp: "RE: [fw-wiz] Cisco PIX DHCP relay via IPSEC"

    Relevant Pages

    • RE: Network connection to file server issues
      ... be the same as the NAT device which causes problems on the server. ... Q301673 - SMB Server Does Not Allow More Than 1 Client Connection Over NAT ...
      (microsoft.public.win2000.networking)
    • Failing Phase2 Auth - IPSec - All IPSec SA proposals found unacceptable
      ... The Client is an iPhone. ... Remote end IS behind a NAT device This ... Received unsupported transaction mode attribute: ...
      (comp.dcom.sys.cisco)
    • Re: Understanding NAT, Firewalls, TCP/IP
      ... about their own firewalls, well ... ... Even if you run an HTTP server on port 80 behind a NAT device, that device will typically need configuration - in case of course the server should be reachable from the outside. ... But if your client runs such a device, you could use UPnP to discover the device, and then configure it. ...
      (comp.lang.java.programmer)
    • Re: Remote Desktop
      ... a NAT device (Network Address Translation). ... as the client and contact the desktop; ...
      (microsoft.public.windowsxp.general)