dvanaken
asked on
Cisco VPN client through firewall in NAT mode
We have been using Cisco Windows client for several months to access clients development networks. We are running our LAN behind a SonicWall TZ170 in transparent mode with our ISP's Adtran router doing NAT- no problems. I recently shifted the SonicWall to NAT mode so as to have better control of mappings and security. VPN blew up - only one session would work for reasons I now understand being limitations of IPSec tunnels. SonicWall technical support (poor) told me - "can't be done" - incident closed. In doing more research, I found that the solution may be NAT-T. SonicWall Support claims NO knowledge of this and has no idea if it will ever be supported. In the meantime, I found a microsoft article that suggests that if the VPN server and the client both have NAT-T enabled, this should function behind a NAT device.
Quote " After you install this update, Windows 2000 and Windows XP-based L2TP/IPsec clients can create IPsec connections from behind a NAT device. "
Full article:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B818043
Ok, who's right here? Do I need a new firewall or firewall firmware, or should this work right now assuming the Cisco VPN device has firmware supporting NAT-T (recently released according to Cisco)? These are XP/SP2 machines so it appears that the client machines will do NAT-T. I am willing to experiment but if this is definitely a no-go from the firewall, I won't waste my time.
Thanks for helping set me straight!
--Dale
Quote " After you install this update, Windows 2000 and Windows XP-based L2TP/IPsec clients can create IPsec connections from behind a NAT device. "
Full article:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B818043
Ok, who's right here? Do I need a new firewall or firewall firmware, or should this work right now assuming the Cisco VPN device has firmware supporting NAT-T (recently released according to Cisco)? These are XP/SP2 machines so it appears that the client machines will do NAT-T. I am willing to experiment but if this is definitely a no-go from the firewall, I won't waste my time.
Thanks for helping set me straight!
--Dale
ASKER
Thanks - how do I "use" NAT-T? It seems like the Windows clients are capable since they are SP2 - if the Cisco VPN server is NAT-T capable should this just work automatically? Are there any other ports that need to be open, etc. In other words, since it failed, it must not be using NAT-T - what steps do I take?
Thanks
--Dale
Thanks
--Dale
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have two Cisco VPN clients - 4.0.5(A) and 4.0.3(D) - neither mention NAT-T anywhere in their configuration. I'm wondering - it seems from Microsoft's KB article that NAT-T is built into SP2 - are you sure that the client needs to turn this option on? It might be a lower level network option somewhere... has anyone actually used NAT-T on Cisco VPN client under XP? I'd appreciate knowing about any actual experiences. --Dale
Ignore what MS say about SP2. That is for the built in VPN client only. You are using the Cisco client.
Run the Cisco client and choose to modify the settings. Go to the 'transport' tab and 'enable transparent tunneling' should be ticked. Also 'IPsec over UDP' should be selected.
This is in version 4.6 of the client. I would advice that you get a newer client as there have been updates since 4.0.5 to fix some problems introduced with SP2.
Run the Cisco client and choose to modify the settings. Go to the 'transport' tab and 'enable transparent tunneling' should be ticked. Also 'IPsec over UDP' should be selected.
This is in version 4.6 of the client. I would advice that you get a newer client as there have been updates since 4.0.5 to fix some problems introduced with SP2.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok - I was successful in installing 4.6 client and it works with the NAT on my router and the Sonircwall in transparent mode (old configuration). If we do the following:
- change the server (don't know what it is) to permit NAT-T
- open up 4500 UDP outbound (on both ends?)
- select the IPSEC/UDP option on the client
THEN change my firewall back to NAT mode instead of transparent mode, this should work? I have to knock down a working system to try this so I want to be sure I have not missed anything. Thanks - Dale
- change the server (don't know what it is) to permit NAT-T
- open up 4500 UDP outbound (on both ends?)
- select the IPSEC/UDP option on the client
THEN change my firewall back to NAT mode instead of transparent mode, this should work? I have to knock down a working system to try this so I want to be sure I have not missed anything. Thanks - Dale
You shouldn't need to open up 4500 either end because outbound should already be allowed. SPI will take care of the correpsonding inbound, and the remote server will handle it on that end.
Are you still working on this?
Have you found a solution?
Do you need more information?
Can you close out this question? See here for details:
https://www.experts-exchange.com/help.jsp#hs5
Thanks for your attention!
Have you found a solution?
Do you need more information?
Can you close out this question? See here for details:
https://www.experts-exchange.com/help.jsp#hs5
Thanks for your attention!
ASKER
Finally got around to this! Took a firewall upgrade - thanks for the help, guys! --Dale
If you use NAT-T then all traffic is UDP based so much easier for the firewall to track and you should then have no problems. NAT-T was designed to overcome the problem you are experiencing.