[fw-wiz] Re: firewall-wizards digest, Vol 1 #1180 - 6 msgs

• Previous message: Javier Sanchez: "[fw-wiz] Pix vpns nat"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Wed, 21 Jan 2004 09:03:43 -0300 (CLST)

> From: Allendes Fernando <fallendes@atichile.com>
> To: "'firewall-wizards@honor.icsalabs.com'"
> <firewall-wizards@honor.icsalabs.com> Date: Mon, 12 Jan 2004 19:28:39
> -0300
> Subject: [fw-wiz] NAT inside a VPN between PIX and Cisco device
>
> Hello:
> We are trying to make a VPN between PIX and Cisco device, but using
> NAT with the PIX external IP. The picture is like:
> Internal IP ----> PIX (NAT) ----> Internet ----> Cisco Router --->
> "Routeable IP"
> Because the Cisco Router have internal and routeable networks, then
> we must make a VPN from PIX using NAT inside the VPN.
> At least, we set up such VPN but using two external IPs in the PIX. Do
> you know how we can do it using only one external IP in the PIX ?
>
> Regards,
> Fernando Allendes.

Hi all:

Lets see (X) <---> (NAT) <===> (Inet) <===> (Cisco) <---> (Dest)

--- Uncyphered flow
=== cyphered flow

This is an idea only.

Maybe your VPN was configured in Tunnel mode. This is because the packets
in tunnel mode when arrives to the (Cisco)<--->(Dest) segment are
unruteables because its adresses arenīt valid outside X's network. If this
would be possible to implement, It would need the route from (Dest) to the
external IP of (NAT), and a rule in (NAT) wich will translate it packet
dest ip to the X known IP, and in this scenario the (NAT) box will need an
extra IP in order to translate only that VPN-Redirection configuration.

So, try to configure the VPN in transport mode. Maybe in that way you
could save one external IP.

Regards.

G.C.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Javier Sanchez: "[fw-wiz] Pix vpns nat"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: [fw-wiz] NAT inside a VPN between PIX and Cisco device ... Now we're using a VPN without NAT and only one external IP on PIX. ... This feature works if your WAN interface is not a FastEthernet interface. ... (Firewall-Wizards) Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall ... something like "windows-2000 AH ESP VPN NAT" ... My belief is that your NAT ... > My understanding is that IPSec AH protocol does not work with NAT devices ... > IPSec operates in either one of two modes - transport mode or tunnel mode. ... (microsoft.public.win2000.security) Re: NATting both ways ... on my "VPN" network off a PIX 525. ... We are using ip nat inside and ip nat outside on our inside and ... creates a VPN to another router on a remote network. ... crypto map CLIENTMAP client authentication list default ... (comp.dcom.sys.cisco) Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall ... My belief is that your NAT ... My understanding is that IPSec AH protocol does not work with NAT devices ... IPSec operates in either one of two modes - transport mode or tunnel mode. ... provide a VPN remote access solution. ... (microsoft.public.win2000.security) Re: Pre-purchase Question about PIX 515E ... We use a VPN concentrator for VPN dial-up, but the PIX 515E ... server), or are those "pass-through" sessions, clients passing through ... sesssions (but you might need to do Policy NAT.) ... (comp.dcom.sys.cisco)