Using PC Anywhere through VPN tunnel (IPSec) Firewall/NAT on both ends

S Connelly
S Connelly used Ask the Experts™
on
I want to connect to a PC Anywhere host using a VPN client (currently a Cisco client).  Unfortunately it is not possible to do this with each end having NAT.  Apparently IPSec doesn't support VPN through NAT.

Pictorial diagram:

PCANYWHERE remote PC ---- NAT/FIREWALL ------- <INTERNET> ------ NAT/FIREWALL ---- PCANYWHERE host PC

How can I make a secure VPN type connect this way?

We are starting off with one site as a proof of concept but eventually we what to replace all the expensive telephone dialup connections with Internet VPN connections.  We require a one technology fits all solution (if possible).  Can this be done?  If so, what software is required?

I'm willing to offer more points depending on the detail and how soon an acceptable solution is given.

Thank you,
SDC
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
"Apparently IPSec doesn't support VPN through NAT"

More correctly, the firewall or cisco client does not supoprt this config - I know this will work if both firewalls run linux (and the cisco client is not too anal [why does anyone use the cisco client?!? - doesn't a generic IPSEC connection work as well?]) , but I've not implemented this myself.

In any case, wouldn't a VPN between the two firewalls achieve the same result, without adding the additional security headache of allowing an internal PC a direct circuit (via the VPN) to another, presumably insecure, site?  I see no good reason (within this config) to make more than one local machine perform firewall duty...

Cheers,
-Jon


 


Hello,

Read your problem and thought I'd offer some input...may help, may not.  If not just ignore.

I don't see where the VPN is in this solution.  At my different sites I put a VPN concentrator in parallel to each sites firewall.  This costs me one public address each site but we had them to spare.  The VPN concentrator is a secure device and putting it in parallel to the firewall is an accepted practice.

I had a situation where I only wanted PCAnyWhere access to a PC on a particular subnet.  Perhaps the setup for that will help you a little with this situation.  This for me involved creating a group and configuring rules/filters (Policy Management) to allow only PCAnyWhere access to this one network, I then applied that filter to the group.

(You can do this with an access list if you are using a router.  I use a Cisco 3015 VPN Concentrator.)

Under the following:
Configuration
  Policy Management
    Traffic Management
      Rules

I added four rules I called them: PCAnyWhereInUDP, PCAnyWhereOutUDP, PCAnyWhereInTCP, PCAnyWhereOutTCP.

On the PCAnyWhereIn rules I put the following info:

-Direction: Inbound
-Action: Forward
-Protocol:  (TCP for the TCP rule and UDP for the UDP rule)
-TCP Connection: Don’t Care
-Source address: 0.0.0.0 Mask 255.255.255.255
-Destination address: 172.20.16.0 Mask 0.0.3.255 [This is a sample network you use the one your PCAnyWhere station is on.  Note the mask is inverted…this mask equals-255.255.252.0.
-TCP/UDP Source port: range 0 to 65535
-TCP/UDP Dest. Port: range 5631 to 5632 **(this is important, this is the port range use by PCAnyWhere… at least 9.x and above, before 9.x it is different you can easily find that info on the web).

On the PCAnyWhereOut rules I put the following info:

-Direction: Outbound
-Action: Forward
-Protocol:  (TCP for the TCP rule and UDP for the UDP rule)
-TCP Connection: Don’t Care
-Source address: 0.0.0.0 Mask 255.255.255.255
-Destination address: 0.0.0.0 Mask 255.255.255.255 [We don’t really need to specify outbound]
-TCP/UDP Source port: range 5631 to 5632 (I did specify return port)
-TCP/UDP Dest. Port: range 0 to 65535

I then created a filter under:

Configuration
  Policy Management
    Traffic Management
      Filters

I added the filter PCAnyOnly:

After adding the filter I assigned all four rules (of course click the button that say add rules to filter).

I then created a standard group and under the General tab (when configuring the group) there is a section for assigning a filter.  I pulled down this menu and selected my newly defined filter.

***In your problem you say you use the VPN client.  Start the VPN dialer and go to: Options
  Properties …section.

Ensure that “enable transparent tunneling” is selected.
There are two options under this…Allow IPSec over UDP (Nat/Pat) and Use IPSec over TCP…(I use the first).

****If you have your VPN solution behind a firewall you will need to ensure that TCP/UDP 500 and protocol 50 are allowed through (isakmp).  Also of course allow TCP/UDP 5631 and 5632 PCAnyWhere, newer versions.

*****If you are trying to PCAnyWhere between sites another method would be to do a VPN to VPN connection (Lan 2 Lan).  This would encrypt traffic between the two sites:  You can do Lan 2 Lan and or network extension.  I’ve done something similar with a VPN 3015 at our main site and VPN 3002 hardware clients at remote sites.  If you get the 3002 make sure you get the 8 port one.

Sorry to be long winded hope some of this helps.
doh,

Forgot to tell you about setting up client....Create a pcf file with the new group name and password info and put under the profiles directory....If you need a sample you probably already have one listed under that directory or go to cisco.com.


c:\Program files\cisco systems vpn client\profiles.

When you start the dialer go to Options...Import Entry and point to the file you created.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

S ConnellyTechnical Writer

Author

Commented:
Thank you everyone for some good information.

Allow me to expand upon what I originally asked.

I have complete flexibility on one side of the Internet only.  The other side represents a non-affiliated client and often I cannot dictate what VPN and/or Firewall technology they use.

The bottom line is we need a dial-up via telephone alternative (as a means to save money), however, to do this through the Internet means I must find a secure and highly adaptable means of communications.  As I previously stated, "one technology fits all" solution.

Setting up a concentrator with a private subnet and in/outbound rules/filters is possible on my end but it will be very difficult at the clients’ site.

Is it possible to achieve my goal with minimal changes at the clients’ site?


Thank you

OK, then - what technology do you have to work with on the "inflexible" end (what hardware, OS, software, etc)...?

If you can be flexible on the other end, it seems all that is needed is to conform to the requirements of the "inflexible" end

Or if you have the exact same software and hardware as CodeNameWizard or don't mind wasting a ton of cash, you could go with that solution (sorry, couldn't resist).

I await your response.

Cheers,
-Jon

S ConnellyTechnical Writer

Author

Commented:
On my end, I'm considering the Cisco PIX 500 product as it appears to meet my criteria.  

On the other end it could be anything!!  I cannot control the other end, however, I might be able to convince the customer to allow me access to their internet (most likely NAT and some form of firewall).

Perhaps I can simply use PPTP or some commercial VPN product.  I don't know?  Again, I have no control over the other end except given the customer IP ports to open as long as I can garrentee security.

I'm trying to save LD charges by going Internet/VPN.  

So is this thought of eliminating dial-up telephone connections a pipe-dream?
>So is this thought of eliminating dial-up telephone connections a pipe-dream?

No, but the requirement of arbitrary hardware and software on the remote end makes this much more difficult.  When folks ask for a one-size-fits-all solution, I generally recommend some sort of unix-based solution, since most of the open-source unix/linux distributions offer some form of compiler, and newly developed features/code can be quickly integrated (rather than having to shell out mucho $$ for yet another IOS upgrade).

As for the other end, if they want to do goofy stuff like running VPN clients behind NAT boxes, etc, then you shouldn't worry about it - it is up to them to make thier own wacky configs work, since you seem to have no control over what they do on their end of the conection anyway...  In any case, all you can do is set up your side in the most reasonable fashion (i.e. do not run your VPN server behind a firewall if possible - the VPN server should either be your firewall, or be similarly secure and externally connected)

Cheers,
-Jon

P.S.  Some of the above advice contains certain generalizations to avoid overly confusing scenarios - if you can identify all the exceptions to the above generalizations, then you probably don't need my advice...





Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
G'day, sconnell
There has not been any activity on this question in 110 days.
Do you still need assistance, need more information, or have you solved your problem?
Can you close out this question?
S ConnellyTechnical Writer

Author

Commented:
Thank you for everyone's help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial