IPSec VPN connection from behind a PAT firewall?
Hi folks,
I know that I cannot create a outbound PPTP-based VPN connection from behind my PAT firewall (Cisco PIX) without creating static mappings between the internal (private) and an external (public) address. Obviously this isn't feasible, since I would need to have a separate public address for everyone who needs/wants to make an outbound VPN connection, and I'd need to setup static mappings for each address.
However; can anyone confirm or deny whether this is possible when using IPSec to create the firewall connection?
Basically, I would like to have a way to allow people from behind my firewall to make a VPN connection to another office, ideally without 1-1 address mapping. I don't want to have a LAN-LAN VPN tunnel, I want it PC-LAN.
Thanks!
JP
I know that I cannot create a outbound PPTP-based VPN connection from behind my PAT firewall (Cisco PIX) without creating static mappings between the internal (private) and an external (public) address. Obviously this isn't feasible, since I would need to have a separate public address for everyone who needs/wants to make an outbound VPN connection, and I'd need to setup static mappings for each address.
However; can anyone confirm or deny whether this is possible when using IPSec to create the firewall connection?
Basically, I would like to have a way to allow people from behind my firewall to make a VPN connection to another office, ideally without 1-1 address mapping. I don't want to have a LAN-LAN VPN tunnel, I want it PC-LAN.
Thanks!
JP
I don't see how. IPSec needs UDP 500 and IP proto 50/51. In a sense, it's "IP-in-IP", so AFAIK, it can't work through a PAT.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
BTW the default TCP port for IPSec over TCP is port 10000.
Basically, the protocol 50 (and 51 if you are using AH) will get encapsulated in a TCP packet and look like normal TCP/IP traffic to the NAT device.
NAT should read PAT
NAT should read PAT
ASKER
Hi folks, thanks for the responses.
t1n0m3n, I'll try this out and let you know how it goes!
t1n0m3n, I'll try this out and let you know how it goes!
ASKER
Seems to work great - thanks!