Solved

VPN on Cisco PIX with NAT - what is my options to make it work?

Posted on 2002-05-23
12
654 Views
Last Modified: 2010-04-11
hi guys,

What options do I have if I want to run a VPN using Cisco PIX behing my NAT device (which is separate from the Cisco)? If possible, I would like to run IPSEC but the NAT device as I understand does not support IPSEC. BUT I read that while NAT & IPSEC do not go well together,
IP ESP[tunnel] IP TCP payload may work.

Can anybody advice me on the options I have and what would I recommend to configure on the Cisco PIX and whether the above option (NAT+IPSEC ESP) will work?? Some detailed explanation would be great!

Thanks,




0
Comment
Question by:Haho
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +4
12 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 7029596
It probably depends on exactly what NAT device you have and what it supports.

Please provide more details.

See          http://www.practicallynetworked.com/
http://www.practicallynetworked.com/sharing/app_port_list.htm
http://www.sohointer.net/howto/
http://www.onecomputerguy.com/networking/peer.htm
www.speedguide.net 
http://www.cert.org/tech_tips/home_networks.html Firewall and security for home and offices
Test firewall ports  and port blocking http://grc.com/
http://www.nipc.gov/warnings/computertips.htm
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/aus1001.asp
Protect DSL or boradband connection. ICF, ICS firewall security
Home PC Firewall Guide - http://www.firewallguide.com 


Many inexpensive routers have a VPN "feature" that
 allows multiple client pass-thru sessions, but only one VPN   session per VPN tunnel "terminator".  This means that you  can't connect multiple VPN clients simultaneously to the same  VPN server, but can connect only one client per VPN server.

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/px501_ds.htm 
$595 ? Cisco PIX® 501 Firewall
http://www.practicallynetworked.com/support/VPN_help.htm VPN help routers

I hope this helps !

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 7031575
What's your NAT device & what sort of NAT is it doing ?
This sort of thing generally works with static one-to-one NAT, but NOT port address translation.
0
 
LVL 3

Expert Comment

by:t1n0m3n
ID: 7053018
You need to "Allow IPSec over UDP (or TCP)" on your client.
This will encapsulate the packet with a UDP header and "unconfuse" some firewalls.  (Mainly the PIX here)
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 3

Expert Comment

by:t1n0m3n
ID: 7053020
Yes it will work, as I have it running now on a PIX 520.
0
 
LVL 3

Expert Comment

by:t1n0m3n
ID: 7053022
Ack, disreguard all of my previous posts.  I reread your question.
0
 
LVL 3

Expert Comment

by:t1n0m3n
ID: 7053026
Use a separate IP address for the VPN on your NAT device.
0
 
LVL 1

Author Comment

by:Haho
ID: 7069562
I read up a bit.. pls correct me if i am wrong.

what about NAT traversal in IPSEC ESP Tunnel mode? I understand that because because UDP checksums are not (usually) used, changing the IP headers (as done by NAT) will not destroy the "integrity" of the packets.

This is opposed to using TCP which has a mandatory checksum that includes the IP header which of course is broken if the IP headers are changed by NAT.

Also because the outermost IP and UDP header is not in the encrypted payload, the NAT can safetly change the UDP source ports and IP headers without breaking the ESP what-you-might-call-it. :)

In fact, I read the NAT traversal is the cure for all NAT deployments to run IPSEC, assuming both VPN ends support NAT Traversal.

My info is gleaned theorically, can anybody fill me in on the practical side with Cisco PIX?


0
 
LVL 1

Expert Comment

by:Chriskohn
ID: 7074184
Hi Haho:
It may help me to describe things better if I understand more clearly just what you are working with and what type of VPN implementation you are attempting to create. Just a few questions if you don't mind?
1)Can I ask is your "NAT device" a router, ADSL modem or what?
2)What are you attempting to connect to with the PIX, are you doing a site to site VPN (from another LAN), or a Remote-User VPN from some device running Cisco client software?
3)Will you be coming from a static IP addressed source to the PIX or will you be coming from some dynamically addressed source to the PIX (ie a dial-up)?

I will watch for more details and then try to answer your question, thanks, Chriskohn
0
 
LVL 1

Author Comment

by:Haho
ID: 7074736
hi chris,

Here are the answers:
(1) a router (not cisco or ibm)
(2) A remote-user VPN
(3) dynamic (i.e. dial-up)

What do u think? Thanks for your help.
0
 
LVL 1

Expert Comment

by:Chriskohn
ID: 7076520
Okay Haho:
See your answers. It appears are you planning to connect to your PIX through your router, from the Internet when you are at some other place, and you are going to have a dynamic IP address because you are dialing into the Internet from that site? Is this correct? If so, version of Cisco VPN client are you planning to use??? When you answer this, I will be able to direct you, Chriskohn
0
 
LVL 1

Expert Comment

by:plebras
ID: 7088733
It will be very difficult to make VPN over IPSEC with NAT device between. The Best easy solution is to make a VPN for remote client (Microsoft Client only) with MPPE 40 and not IPSEC. It is GENERALY Ok For Proxy or other Nat devices.

For the PIX : (may be I forgot something but I don't think so)
name 172.25.35.0 resint (for exmple Internal Network)
name 172.27.35.0 resvpn (ip addresses for the vpn )
ip local pool pptp-pool 172.27.35.1-172.27.35.63
sysopt connection permit-pptp
access-list 101 permit ip resint 255.255.255.0 resvpn 255.255.255.0
nat (inside) 0 access-list 101
(no nat between internal addresses and vpn clients)
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host AuthHost keyAAA
timeout 10
(if applicable for a W2K OR NT Server WITH IAS Server Installed, RADIUS Server or other method : only PIX password)
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns HostDns
vpdn group 1 client authentication aaa AuthInbound
(if applicable or only Pix Auth for the Clients)
vpdn group 1 pptp echo 60
vpdn enable outside

For The client :
Windows NT, 2000, XP, it's in the OS (Dialup and Network Connections). Define a VPN Connection IP Adress: External Ip Adress of The Pix. In Advanced Parameters Take  Require Crypt and MSCHAP (not MSCHAP V2).
Then Take The internet Connection and then the VPN connection. (IN 2000 XP the VPN connection can run first the Internet Connection not with W95 and W98)
Windows 95 : you need to download the update client from Microsoft (http://support.microsoft.com Search for VPN Client)
Windows 98 : You need WINDOWS 98 SE (Second Edition): (for the install you need to install first then desinstall drivers  and reinstall because there is a bug in the VPN CLIENT OF 95 AND 98 )

NOTE : with MPPE 40 Client YOU CAN NOT When you are connected to the pix (VPN Tunnel active) go to the INTERNET (through the pix) or go to a other card of the Pix (eg :DMZ) . YOU CAN ONLY JOIN THE INTERNAL NETWORK. The command
'sysopt ipsec pl-compatible' has no equivalent in MPPE .

0
 
LVL 1

Accepted Solution

by:
matt_t1 earned 100 total points
ID: 7155650
I have numerous IPSec VPNs running in the wild at the moment, and most of them are subject to NAT at some point between the endpoints.  While they are not running on PIX, I can vouch for the fact that IPSec and NAT work fine together.  Basic conditions are as follows:

Permit UDP port 500 as you are likely to need IKE negotiations to establish the tunnel.  These packets can safely be NATted.

Use IPSec ESP mode rather than just AH.  This runs as IP Protocol number 50, and encrypts the whole tunneled packet including the headers, so these can't be touched by intermediate NAT devices.

I'm sure somebody else here can provide you with the PIX config to make this happen, but just don't get too hung up about the NAT causing problems.  Just be careful about the IP routing, and dealing with any RFC1918 addresses you have at either end.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month5 days, 19 hours left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question