IPSec VPN connection from behind a PAT firewall?

Hi folks,

I know that I cannot create a outbound PPTP-based VPN connection from behind my PAT firewall (Cisco PIX) without creating static mappings between the internal (private) and an external (public) address. Obviously this isn't feasible, since I would need to have a separate public address for everyone who needs/wants to make an outbound VPN connection, and I'd need to setup static mappings for each address.

However; can anyone confirm or deny whether this is possible when using IPSec to create the firewall connection?

Basically, I would like to have a way to allow people from behind my firewall to make a VPN connection to another office, ideally without 1-1 address mapping. I don't want to have a LAN-LAN VPN tunnel, I want it PC-LAN.

Thanks!
JP
LVL 16
JammyPakAsked:
Who is Participating?
 
t1n0m3nCommented:
Yes I use IPSec through NAT all the time.

The trick is to enable the "IPSEC over TCP" setting in the client that you are using, and make sure that it is enabled on the other side as well.
You can also use UDP instead of TCP.

Basically, the protocol 50 (and 51 if you are using AH) will get encapsulated in a TCP packet and look like normal TCP/IP traffic to the NAT device.

I have many contractors that use this type of connectivity today.
0
 
_nn_Commented:
I don't see how. IPSec needs UDP 500 and IP proto 50/51. In a sense, it's "IP-in-IP", so AFAIK, it can't work through a PAT.
0
 
t1n0m3nCommented:
BTW the default TCP port for IPSec over TCP is port 10000.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
t1n0m3nCommented:
Basically, the protocol 50 (and 51 if you are using AH) will get encapsulated in a TCP packet and look like normal TCP/IP traffic to the NAT device.

NAT should read PAT
0
 
JammyPakAuthor Commented:
Hi folks, thanks for the responses.

t1n0m3n, I'll try this out and let you know how it goes!
0
 
JammyPakAuthor Commented:
Seems to work great - thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.