Solved

How can NAT-T be supported on Firewall-1?

Posted on 2003-11-06
4
671 Views
Last Modified: 2013-11-16
We have allowed ESP, AH, udp 500 and 4500 through our external firewall to the VPN Concentrator.  To support multiple vpn clients behind a NAT/PAT device requires NAT-T to be enabled.  it is enabled on the VPN clients and concentrator.

The first client connects on udp 500 and changes to udp 4500 (source and dest).  The second client connects on 500 and then tries 48068,4500 (I presume the ADSL modem has PATted 4500 to 48068).  Using TCPDUMP I see a response from the concentrator but it doesn't make it back to the client.  I think the firewall has dropped it because it doesn't recognise that response as part of a session.  We have a rule to allow udp 500 and 4500 out (4500 as the destination port, in this case it is the source with a random port as the destination).

We are upgrading to NG next week will this resolve the problem (i.e. support NAT-T)?
0
Comment
Question by:duanew080600
  • 2
4 Comments
 
LVL 3

Accepted Solution

by:
dschwartzer earned 500 total points
ID: 9712767
duanew, NG at all supports a lot of interesting things concerning VPN, NAT and routing of all kinds. I didn't quite understand your configuration, so can't tell for sure. Anyway if upgrading - go for NG with Application Intelligence (aka AI). It's the latest good version.
Now for the configuration:

client ----- NAT -----(internet) ---- CP FW ---(internal LAN) --- Cicso fw

Is that correct? Could you please elaborate on these? Client is Cisco, and CP FW is checkpoint 4.1 which must pass through without decrypting?

d
0
 

Author Comment

by:duanew080600
ID: 9726929
I think I have worked out where the problem lies.  Our VPN Concentrator sits behind our internet router and external firewall.  I think the firewall passed the traffic becuase it recognised the udp source, dest ports as a traffic flow.  But out router only runs simple ACLs.  Currently it only allows udp 500 and 4500 in and out to the conventrator.  I'll try changing the outbound rule to allow udp greater than 1024 as well.

client ----- NAT -----(internet) ---- router ------ FW --- VPN Conc. ---- FW ----- (internal LAN)
0
 
LVL 3

Expert Comment

by:dschwartzer
ID: 9728789
Please update the thread if you solved the problem or need futher assistance.

Thanks,
d
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10976491
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> PAQ - Refund

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
assessing firewall rules 3 89
DHCP lease issue ? 8 95
DDOS against DYN 9 137
Allowing a local account for incoming Rdp but not outgoing Rdp 15 161
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question