Solved

VPN on Cisco PIX with NAT - what is my options to make it work?

Posted on 2002-05-23
12
608 Views
Last Modified: 2010-04-11
hi guys,

What options do I have if I want to run a VPN using Cisco PIX behing my NAT device (which is separate from the Cisco)? If possible, I would like to run IPSEC but the NAT device as I understand does not support IPSEC. BUT I read that while NAT & IPSEC do not go well together,
IP ESP[tunnel] IP TCP payload may work.

Can anybody advice me on the options I have and what would I recommend to configure on the Cisco PIX and whether the above option (NAT+IPSEC ESP) will work?? Some detailed explanation would be great!

Thanks,




0
Comment
Question by:Haho
  • 4
  • 2
  • 2
  • +4
12 Comments
 
LVL 63

Expert Comment

by:SysExpert
Comment Utility
It probably depends on exactly what NAT device you have and what it supports.

Please provide more details.

See          http://www.practicallynetworked.com/
http://www.practicallynetworked.com/sharing/app_port_list.htm
http://www.sohointer.net/howto/
http://www.onecomputerguy.com/networking/peer.htm
www.speedguide.net
http://www.cert.org/tech_tips/home_networks.html Firewall and security for home and offices
Test firewall ports  and port blocking http://grc.com/
http://www.nipc.gov/warnings/computertips.htm
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/aus1001.asp
Protect DSL or boradband connection. ICF, ICS firewall security
Home PC Firewall Guide - http://www.firewallguide.com


Many inexpensive routers have a VPN "feature" that
 allows multiple client pass-thru sessions, but only one VPN   session per VPN tunnel "terminator".  This means that you  can't connect multiple VPN clients simultaneously to the same  VPN server, but can connect only one client per VPN server.

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/px501_ds.htm  
$595 ? Cisco PIX® 501 Firewall
http://www.practicallynetworked.com/support/VPN_help.htm VPN help routers

I hope this helps !

0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
What's your NAT device & what sort of NAT is it doing ?
This sort of thing generally works with static one-to-one NAT, but NOT port address translation.
0
 
LVL 3

Expert Comment

by:t1n0m3n
Comment Utility
You need to "Allow IPSec over UDP (or TCP)" on your client.
This will encapsulate the packet with a UDP header and "unconfuse" some firewalls.  (Mainly the PIX here)
0
 
LVL 3

Expert Comment

by:t1n0m3n
Comment Utility
Yes it will work, as I have it running now on a PIX 520.
0
 
LVL 3

Expert Comment

by:t1n0m3n
Comment Utility
Ack, disreguard all of my previous posts.  I reread your question.
0
 
LVL 3

Expert Comment

by:t1n0m3n
Comment Utility
Use a separate IP address for the VPN on your NAT device.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Author Comment

by:Haho
Comment Utility
I read up a bit.. pls correct me if i am wrong.

what about NAT traversal in IPSEC ESP Tunnel mode? I understand that because because UDP checksums are not (usually) used, changing the IP headers (as done by NAT) will not destroy the "integrity" of the packets.

This is opposed to using TCP which has a mandatory checksum that includes the IP header which of course is broken if the IP headers are changed by NAT.

Also because the outermost IP and UDP header is not in the encrypted payload, the NAT can safetly change the UDP source ports and IP headers without breaking the ESP what-you-might-call-it. :)

In fact, I read the NAT traversal is the cure for all NAT deployments to run IPSEC, assuming both VPN ends support NAT Traversal.

My info is gleaned theorically, can anybody fill me in on the practical side with Cisco PIX?


0
 
LVL 1

Expert Comment

by:Chriskohn
Comment Utility
Hi Haho:
It may help me to describe things better if I understand more clearly just what you are working with and what type of VPN implementation you are attempting to create. Just a few questions if you don't mind?
1)Can I ask is your "NAT device" a router, ADSL modem or what?
2)What are you attempting to connect to with the PIX, are you doing a site to site VPN (from another LAN), or a Remote-User VPN from some device running Cisco client software?
3)Will you be coming from a static IP addressed source to the PIX or will you be coming from some dynamically addressed source to the PIX (ie a dial-up)?

I will watch for more details and then try to answer your question, thanks, Chriskohn
0
 
LVL 1

Author Comment

by:Haho
Comment Utility
hi chris,

Here are the answers:
(1) a router (not cisco or ibm)
(2) A remote-user VPN
(3) dynamic (i.e. dial-up)

What do u think? Thanks for your help.
0
 
LVL 1

Expert Comment

by:Chriskohn
Comment Utility
Okay Haho:
See your answers. It appears are you planning to connect to your PIX through your router, from the Internet when you are at some other place, and you are going to have a dynamic IP address because you are dialing into the Internet from that site? Is this correct? If so, version of Cisco VPN client are you planning to use??? When you answer this, I will be able to direct you, Chriskohn
0
 
LVL 1

Expert Comment

by:plebras
Comment Utility
It will be very difficult to make VPN over IPSEC with NAT device between. The Best easy solution is to make a VPN for remote client (Microsoft Client only) with MPPE 40 and not IPSEC. It is GENERALY Ok For Proxy or other Nat devices.

For the PIX : (may be I forgot something but I don't think so)
name 172.25.35.0 resint (for exmple Internal Network)
name 172.27.35.0 resvpn (ip addresses for the vpn )
ip local pool pptp-pool 172.27.35.1-172.27.35.63
sysopt connection permit-pptp
access-list 101 permit ip resint 255.255.255.0 resvpn 255.255.255.0
nat (inside) 0 access-list 101
(no nat between internal addresses and vpn clients)
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host AuthHost keyAAA
timeout 10
(if applicable for a W2K OR NT Server WITH IAS Server Installed, RADIUS Server or other method : only PIX password)
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns HostDns
vpdn group 1 client authentication aaa AuthInbound
(if applicable or only Pix Auth for the Clients)
vpdn group 1 pptp echo 60
vpdn enable outside

For The client :
Windows NT, 2000, XP, it's in the OS (Dialup and Network Connections). Define a VPN Connection IP Adress: External Ip Adress of The Pix. In Advanced Parameters Take  Require Crypt and MSCHAP (not MSCHAP V2).
Then Take The internet Connection and then the VPN connection. (IN 2000 XP the VPN connection can run first the Internet Connection not with W95 and W98)
Windows 95 : you need to download the update client from Microsoft (http://support.microsoft.com Search for VPN Client)
Windows 98 : You need WINDOWS 98 SE (Second Edition): (for the install you need to install first then desinstall drivers  and reinstall because there is a bug in the VPN CLIENT OF 95 AND 98 )

NOTE : with MPPE 40 Client YOU CAN NOT When you are connected to the pix (VPN Tunnel active) go to the INTERNET (through the pix) or go to a other card of the Pix (eg :DMZ) . YOU CAN ONLY JOIN THE INTERNAL NETWORK. The command
'sysopt ipsec pl-compatible' has no equivalent in MPPE .

0
 
LVL 1

Accepted Solution

by:
matt_t1 earned 100 total points
Comment Utility
I have numerous IPSec VPNs running in the wild at the moment, and most of them are subject to NAT at some point between the endpoints.  While they are not running on PIX, I can vouch for the fact that IPSec and NAT work fine together.  Basic conditions are as follows:

Permit UDP port 500 as you are likely to need IKE negotiations to establish the tunnel.  These packets can safely be NATted.

Use IPSec ESP mode rather than just AH.  This runs as IP Protocol number 50, and encrypts the whole tunneled packet including the headers, so these can't be touched by intermediate NAT devices.

I'm sure somebody else here can provide you with the PIX config to make this happen, but just don't get too hung up about the NAT causing problems.  Just be careful about the IP routing, and dealing with any RFC1918 addresses you have at either end.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now