Re: Cisco VPN behind a nat router with port translation.

Re: Cisco VPN behind a nat router with port translation.

NewsGroups | Search | Tools
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Re: Cisco VPN behind a nat router with port translation. Walter Roberson 02-18-2007
Posted by Walter Roberson on February 18, 2007, 2:03 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

>I have a problem with a pix 501 and VPN.

>The connection to the internal network is als follows:

>internet-->DMZ -->External int. pix..> internal network. (see visio diagram)

Please don't post binary files in text newsgroups.

And as best I recall, I don't have access to a visio viewer.

>My problem is as folows: When I connected a pc to the DMZ and try a cisco
>vpn everything is working perfectly. (In mine opinion there is nothing wrong
>with the pix configuration.

>When I try to connect to the pix from the internet the entire proces seems
>okay. I'll get a perfect connection. But When I try to ping, or do a rdc. to
>a server nothing is happened. In mine opinion there is something wrong with
>the portmapping on the router.

>I mapped:

>500 udp/tcp
>50/51 tcp
>10000 udp/tcp
>4500 / udp/tcp

You don't need 500 TCP, just 500 UDP.

You don't need 10000 TCP or UDP: that was for an old VPN passthrough
that is not supported on the PIX 501.

You don't need 4500 TCP, just 4500 UDP, and that only if you have
isakmp nat-traversal configured on the 501.

You don't need 50 or 51 TCP. No VPN that I know of uses TCP 50 or TCP 51.
The ESP protocol used by IPSec is IP Protocol 50, and the AH protocol
used by IPSec is IP Protocol 51, but those numbers are IP Protocol
numbers, exactly the same way that TCP is IP Protocol 6 and UDP
is IP Protocol 17. And most consumer devices and ADSL modems do
not allow configuring forwarding by IP Protocol, only by TCP or UDP port.
However, if your endpoint for the VPN tunnel is the PIX, and you
have isakmp nat-traversal configured, then as long as UDP 500 and
UDP 4500 can get through the ADSL model to the PIX, the PIX should
be able to work around the lack of direct ESP or AH packets (it will
encapsulate the packets in UDP 4500.)


It isn't clear to me at which device you did the mapping. The mappings
noted would have to be done at the ADSL model level if anywhere:
you don't need them on the PIX if your security gateway is the
PIX and you are using the Cisco client to connect to the PIX in
order to access the server resources. But you -do- need to either
permit the RDP etc. ports through the PIX outside interface, or else
configure sysopt connection permit-ipsec to permit the VPN connections
to go anywhere inside without ACL controls.

Posted by Marc on February 18, 2007, 3:53 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Dear Walter and all readers,

Many Thanks for your reply.

The ADSL modem is a SMC 7808 router. It is capabel of bridging, but not in
combination with ADSL / over PPP protocol. I configured the router with the
tcp/udp ports you specified.

B.T.W. the VPN connection is created and secured, but transfering data is
the problem. I tested this also with a PPTP connection (with the rights
ports ofcourse) Still same problem. When I put mine laptop in the DMZ
network (where the outside port of the pix is located) no problem there. I
can exchange data with the internal network over ipsec.

The NAT table of the router is as below.:

UDP 10.0.99.50 500 83.247.122.195 500
83.247.53.136 10
Outside pix loc. prt Public IP router Pseudo ipprt.
peer port peerport

I configures the sysopt connection permit-ipsec at this time, so I don't
have to worried about access rules. I configured the isakmp nat-traversal on
a long time out.

Kind Regards,


Marc


>
>>I have a problem with a pix 501 and VPN.
>
>>The connection to the internal network is als follows:
>
>>internet-->DMZ -->External int. pix..> internal network. (see visio
>>diagram)
>
> Please don't post binary files in text newsgroups.
>
> And as best I recall, I don't have access to a visio viewer.
>
>>My problem is as folows: When I connected a pc to the DMZ and try a cisco
>>vpn everything is working perfectly. (In mine opinion there is nothing
>>wrong
>>with the pix configuration.
>
>>When I try to connect to the pix from the internet the entire proces seems
>>okay. I'll get a perfect connection. But When I try to ping, or do a rdc.
>>to
>>a server nothing is happened. In mine opinion there is something wrong
>>with
>>the portmapping on the router.
>
>>I mapped:
>
>>500 udp/tcp
>>50/51 tcp
>>10000 udp/tcp
>>4500 / udp/tcp
>
> You don't need 500 TCP, just 500 UDP.
>
> You don't need 10000 TCP or UDP: that was for an old VPN passthrough
> that is not supported on the PIX 501.
>
> You don't need 4500 TCP, just 4500 UDP, and that only if you have
> isakmp nat-traversal configured on the 501.
>
> You don't need 50 or 51 TCP. No VPN that I know of uses TCP 50 or TCP 51.
> The ESP protocol used by IPSec is IP Protocol 50, and the AH protocol
> used by IPSec is IP Protocol 51, but those numbers are IP Protocol
> numbers, exactly the same way that TCP is IP Protocol 6 and UDP
> is IP Protocol 17. And most consumer devices and ADSL modems do
> not allow configuring forwarding by IP Protocol, only by TCP or UDP port.
> However, if your endpoint for the VPN tunnel is the PIX, and you
> have isakmp nat-traversal configured, then as long as UDP 500 and
> UDP 4500 can get through the ADSL model to the PIX, the PIX should
> be able to work around the lack of direct ESP or AH packets (it will
> encapsulate the packets in UDP 4500.)
>
>
> It isn't clear to me at which device you did the mapping. The mappings
> noted would have to be done at the ADSL model level if anywhere:
> you don't need them on the PIX if your security gateway is the
> PIX and you are using the Cisco client to connect to the PIX in
> order to access the server resources. But you -do- need to either
> permit the RDP etc. ports through the PIX outside interface, or else
> configure sysopt connection permit-ipsec to permit the VPN connections
> to go anywhere inside without ACL controls.



Posted by Walter Roberson on February 18, 2007, 5:10 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
>B.T.W. the VPN connection is created and secured, but transfering data is
>the problem.

>The NAT table of the router is as below.:

> UDP 10.0.99.50 500 83.247.122.195 500
>83.247.53.136 10

Make sure you configure UDP 4500 as well.

Similar ThreadsPosted
ip nat translation port-timeout -- WHICH port? July 30, 2008, 4:08 pm
Port translation with PIX 506E January 23, 2006, 9:10 pm
PIX 515 Rejection happens before port translation ??? November 27, 2006, 9:20 am
port translation happens after packet is rejected ??? November 27, 2006, 7:46 am
Re: PIX - "No translation group found for udp src outside..." port 137 July 24, 2007, 1:27 pm
PIX - "No translation group found for udp src outside..." port 137 July 24, 2007, 6:41 am
Translation between router July 14, 2008, 11:08 am
Aux Port on cisco router October 31, 2005, 5:07 am
Cisco 871 router port forwarding July 12, 2006, 8:41 pm
Port blocked - Cisco router or PIX November 30, 2006, 3:19 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map