Solved

IPSec VPN connection from behind a PAT firewall?

Posted on 2003-10-22
6
2,231 Views
Last Modified: 2008-03-10
Hi folks,

I know that I cannot create a outbound PPTP-based VPN connection from behind my PAT firewall (Cisco PIX) without creating static mappings between the internal (private) and an external (public) address. Obviously this isn't feasible, since I would need to have a separate public address for everyone who needs/wants to make an outbound VPN connection, and I'd need to setup static mappings for each address.

However; can anyone confirm or deny whether this is possible when using IPSec to create the firewall connection?

Basically, I would like to have a way to allow people from behind my firewall to make a VPN connection to another office, ideally without 1-1 address mapping. I don't want to have a LAN-LAN VPN tunnel, I want it PC-LAN.

Thanks!
JP
0
Comment
Question by:JammyPak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 16

Expert Comment

by:_nn_
ID: 9598957
I don't see how. IPSec needs UDP 500 and IP proto 50/51. In a sense, it's "IP-in-IP", so AFAIK, it can't work through a PAT.
0
 
LVL 3

Accepted Solution

by:
t1n0m3n earned 500 total points
ID: 9621266
Yes I use IPSec through NAT all the time.

The trick is to enable the "IPSEC over TCP" setting in the client that you are using, and make sure that it is enabled on the other side as well.
You can also use UDP instead of TCP.

Basically, the protocol 50 (and 51 if you are using AH) will get encapsulated in a TCP packet and look like normal TCP/IP traffic to the NAT device.

I have many contractors that use this type of connectivity today.
0
 
LVL 3

Expert Comment

by:t1n0m3n
ID: 9621269
BTW the default TCP port for IPSec over TCP is port 10000.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:t1n0m3n
ID: 9621274
Basically, the protocol 50 (and 51 if you are using AH) will get encapsulated in a TCP packet and look like normal TCP/IP traffic to the NAT device.

NAT should read PAT
0
 
LVL 16

Author Comment

by:JammyPak
ID: 9629432
Hi folks, thanks for the responses.

t1n0m3n, I'll try this out and let you know how it goes!
0
 
LVL 16

Author Comment

by:JammyPak
ID: 9653739
Seems to work great - thanks!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VLAN CONFIGURATION 2 58
How Can i get Two 3-User licenses of Quickbooks to work??? 6 83
Certifications 8 36
Change to New Domain, carry Wks configs foward? 4 25
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question