Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2249
  • Last Modified:

IPSec VPN connection from behind a PAT firewall?

Hi folks,

I know that I cannot create a outbound PPTP-based VPN connection from behind my PAT firewall (Cisco PIX) without creating static mappings between the internal (private) and an external (public) address. Obviously this isn't feasible, since I would need to have a separate public address for everyone who needs/wants to make an outbound VPN connection, and I'd need to setup static mappings for each address.

However; can anyone confirm or deny whether this is possible when using IPSec to create the firewall connection?

Basically, I would like to have a way to allow people from behind my firewall to make a VPN connection to another office, ideally without 1-1 address mapping. I don't want to have a LAN-LAN VPN tunnel, I want it PC-LAN.

Thanks!
JP
0
JammyPak
Asked:
JammyPak
  • 3
  • 2
1 Solution
 
_nn_Commented:
I don't see how. IPSec needs UDP 500 and IP proto 50/51. In a sense, it's "IP-in-IP", so AFAIK, it can't work through a PAT.
0
 
t1n0m3nCommented:
Yes I use IPSec through NAT all the time.

The trick is to enable the "IPSEC over TCP" setting in the client that you are using, and make sure that it is enabled on the other side as well.
You can also use UDP instead of TCP.

Basically, the protocol 50 (and 51 if you are using AH) will get encapsulated in a TCP packet and look like normal TCP/IP traffic to the NAT device.

I have many contractors that use this type of connectivity today.
0
 
t1n0m3nCommented:
BTW the default TCP port for IPSec over TCP is port 10000.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
t1n0m3nCommented:
Basically, the protocol 50 (and 51 if you are using AH) will get encapsulated in a TCP packet and look like normal TCP/IP traffic to the NAT device.

NAT should read PAT
0
 
JammyPakAuthor Commented:
Hi folks, thanks for the responses.

t1n0m3n, I'll try this out and let you know how it goes!
0
 
JammyPakAuthor Commented:
Seems to work great - thanks!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now