VPN on Cisco PIX with NAT - what is my options to make it work?

hi guys,

What options do I have if I want to run a VPN using Cisco PIX behing my NAT device (which is separate from the Cisco)? If possible, I would like to run IPSEC but the NAT device as I understand does not support IPSEC. BUT I read that while NAT & IPSEC do not go well together,
IP ESP[tunnel] IP TCP payload may work.

Can anybody advice me on the options I have and what would I recommend to configure on the Cisco PIX and whether the above option (NAT+IPSEC ESP) will work?? Some detailed explanation would be great!


Who is Participating?
matt_t1Connect With a Mentor Commented:
I have numerous IPSec VPNs running in the wild at the moment, and most of them are subject to NAT at some point between the endpoints.  While they are not running on PIX, I can vouch for the fact that IPSec and NAT work fine together.  Basic conditions are as follows:

Permit UDP port 500 as you are likely to need IKE negotiations to establish the tunnel.  These packets can safely be NATted.

Use IPSec ESP mode rather than just AH.  This runs as IP Protocol number 50, and encrypts the whole tunneled packet including the headers, so these can't be touched by intermediate NAT devices.

I'm sure somebody else here can provide you with the PIX config to make this happen, but just don't get too hung up about the NAT causing problems.  Just be careful about the IP routing, and dealing with any RFC1918 addresses you have at either end.
It probably depends on exactly what NAT device you have and what it supports.

Please provide more details.

See          http://www.practicallynetworked.com/
http://www.cert.org/tech_tips/home_networks.html Firewall and security for home and offices
Test firewall ports  and port blocking http://grc.com/
Protect DSL or boradband connection. ICF, ICS firewall security
Home PC Firewall Guide - http://www.firewallguide.com 

Many inexpensive routers have a VPN "feature" that
 allows multiple client pass-thru sessions, but only one VPN   session per VPN tunnel "terminator".  This means that you  can't connect multiple VPN clients simultaneously to the same  VPN server, but can connect only one client per VPN server.

$595 ? Cisco PIX® 501 Firewall
http://www.practicallynetworked.com/support/VPN_help.htm VPN help routers

I hope this helps !

Tim HolmanCommented:
What's your NAT device & what sort of NAT is it doing ?
This sort of thing generally works with static one-to-one NAT, but NOT port address translation.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

You need to "Allow IPSec over UDP (or TCP)" on your client.
This will encapsulate the packet with a UDP header and "unconfuse" some firewalls.  (Mainly the PIX here)
Yes it will work, as I have it running now on a PIX 520.
Ack, disreguard all of my previous posts.  I reread your question.
Use a separate IP address for the VPN on your NAT device.
HahoAuthor Commented:
I read up a bit.. pls correct me if i am wrong.

what about NAT traversal in IPSEC ESP Tunnel mode? I understand that because because UDP checksums are not (usually) used, changing the IP headers (as done by NAT) will not destroy the "integrity" of the packets.

This is opposed to using TCP which has a mandatory checksum that includes the IP header which of course is broken if the IP headers are changed by NAT.

Also because the outermost IP and UDP header is not in the encrypted payload, the NAT can safetly change the UDP source ports and IP headers without breaking the ESP what-you-might-call-it. :)

In fact, I read the NAT traversal is the cure for all NAT deployments to run IPSEC, assuming both VPN ends support NAT Traversal.

My info is gleaned theorically, can anybody fill me in on the practical side with Cisco PIX?

Hi Haho:
It may help me to describe things better if I understand more clearly just what you are working with and what type of VPN implementation you are attempting to create. Just a few questions if you don't mind?
1)Can I ask is your "NAT device" a router, ADSL modem or what?
2)What are you attempting to connect to with the PIX, are you doing a site to site VPN (from another LAN), or a Remote-User VPN from some device running Cisco client software?
3)Will you be coming from a static IP addressed source to the PIX or will you be coming from some dynamically addressed source to the PIX (ie a dial-up)?

I will watch for more details and then try to answer your question, thanks, Chriskohn
HahoAuthor Commented:
hi chris,

Here are the answers:
(1) a router (not cisco or ibm)
(2) A remote-user VPN
(3) dynamic (i.e. dial-up)

What do u think? Thanks for your help.
Okay Haho:
See your answers. It appears are you planning to connect to your PIX through your router, from the Internet when you are at some other place, and you are going to have a dynamic IP address because you are dialing into the Internet from that site? Is this correct? If so, version of Cisco VPN client are you planning to use??? When you answer this, I will be able to direct you, Chriskohn
It will be very difficult to make VPN over IPSEC with NAT device between. The Best easy solution is to make a VPN for remote client (Microsoft Client only) with MPPE 40 and not IPSEC. It is GENERALY Ok For Proxy or other Nat devices.

For the PIX : (may be I forgot something but I don't think so)
name resint (for exmple Internal Network)
name resvpn (ip addresses for the vpn )
ip local pool pptp-pool
sysopt connection permit-pptp
access-list 101 permit ip resint resvpn
nat (inside) 0 access-list 101
(no nat between internal addresses and vpn clients)
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host AuthHost keyAAA
timeout 10
(if applicable for a W2K OR NT Server WITH IAS Server Installed, RADIUS Server or other method : only PIX password)
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 client configuration dns HostDns
vpdn group 1 client authentication aaa AuthInbound
(if applicable or only Pix Auth for the Clients)
vpdn group 1 pptp echo 60
vpdn enable outside

For The client :
Windows NT, 2000, XP, it's in the OS (Dialup and Network Connections). Define a VPN Connection IP Adress: External Ip Adress of The Pix. In Advanced Parameters Take  Require Crypt and MSCHAP (not MSCHAP V2).
Then Take The internet Connection and then the VPN connection. (IN 2000 XP the VPN connection can run first the Internet Connection not with W95 and W98)
Windows 95 : you need to download the update client from Microsoft (http://support.microsoft.com Search for VPN Client)
Windows 98 : You need WINDOWS 98 SE (Second Edition): (for the install you need to install first then desinstall drivers  and reinstall because there is a bug in the VPN CLIENT OF 95 AND 98 )

NOTE : with MPPE 40 Client YOU CAN NOT When you are connected to the pix (VPN Tunnel active) go to the INTERNET (through the pix) or go to a other card of the Pix (eg :DMZ) . YOU CAN ONLY JOIN THE INTERNAL NETWORK. The command
'sysopt ipsec pl-compatible' has no equivalent in MPPE .

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.