How can NAT-T be supported on Firewall-1?

We have allowed ESP, AH, udp 500 and 4500 through our external firewall to the VPN Concentrator.  To support multiple vpn clients behind a NAT/PAT device requires NAT-T to be enabled.  it is enabled on the VPN clients and concentrator.

The first client connects on udp 500 and changes to udp 4500 (source and dest).  The second client connects on 500 and then tries 48068,4500 (I presume the ADSL modem has PATted 4500 to 48068).  Using TCPDUMP I see a response from the concentrator but it doesn't make it back to the client.  I think the firewall has dropped it because it doesn't recognise that response as part of a session.  We have a rule to allow udp 500 and 4500 out (4500 as the destination port, in this case it is the source with a random port as the destination).

We are upgrading to NG next week will this resolve the problem (i.e. support NAT-T)?
duanew080600Asked:
Who is Participating?
 
dschwartzerCommented:
duanew, NG at all supports a lot of interesting things concerning VPN, NAT and routing of all kinds. I didn't quite understand your configuration, so can't tell for sure. Anyway if upgrading - go for NG with Application Intelligence (aka AI). It's the latest good version.
Now for the configuration:

client ----- NAT -----(internet) ---- CP FW ---(internal LAN) --- Cicso fw

Is that correct? Could you please elaborate on these? Client is Cisco, and CP FW is checkpoint 4.1 which must pass through without decrypting?

d
0
 
duanew080600Author Commented:
I think I have worked out where the problem lies.  Our VPN Concentrator sits behind our internet router and external firewall.  I think the firewall passed the traffic becuase it recognised the udp source, dest ports as a traffic flow.  But out router only runs simple ACLs.  Currently it only allows udp 500 and 4500 in and out to the conventrator.  I'll try changing the outbound rule to allow udp greater than 1024 as well.

client ----- NAT -----(internet) ---- router ------ FW --- VPN Conc. ---- FW ----- (internal LAN)
0
 
dschwartzerCommented:
Please update the thread if you solved the problem or need futher assistance.

Thanks,
d
0
 
Tim HolmanCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> PAQ - Refund

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.