|
PIX and VPN over TCP
Hi to all!
I need an advice and maybe someone of you could help ... My company is usig PIX firewall, and mobile user use Cisco VPN Client, to be able to connect with our network while they are on the road. Problem is, that in many places mobile users can connect to internet, but via device with NAT and without NAT-T. Ofcourse in such a case they could not establish VPN tunel. However Cisco VPN Client has an option "Enable transparent Tunneling" (with setting "IPSec over UDP (NAT/PAT)" and "IPSec over TCP"). Could someone tell me how to configure PIX (515E) to use this option (or point me to appropriate doc)? Is this option at all supported on PIX? I have found only information regarding configuring this option with Cisco VPN concentrator. Thank you in advance for any answer Krzysztof |
Re: PIX and VPN over TCP
"Krzysztof" <nosmap@nosmap.nospam> wrote:
> However Cisco VPN Client has an option "Enable transparent Tunneling" (with > setting "IPSec over UDP (NAT/PAT)" and "IPSec over TCP"). > > Could someone tell me how to configure PIX (515E) to use this option (or > point me to appropriate doc)? Is this option at all supported on PIX? I have > found only information regarding configuring this option with Cisco VPN > concentrator. isakmp nat-traversal 20 http://www.cisco.com/univercd/cc/td/....htm#wp1027312 Note that PIX can do nat-traversal only with UDP and using a fixed port 4500. |
Re: PIX and VPN over TCP
In article <ete76c$cvl$1@news.onet.pl>, Krzysztof <nosmap@nosmap.nospam> wrote:
>My company is usig PIX firewall, and mobile user use Cisco VPN Client, to be >able to connect with our network while they are on the road. Problem is, >that in many places mobile users can connect to internet, but via device >with NAT and without NAT-T. Ofcourse in such a case they could not establish >VPN tunel. It doesn't matter that they are going through devices that do not have NAT-T: the VPN client itself will do NAT-T. If the PIX has NAT-T enabled and the VPN clients are having problems getting through, then the implication is that UDP 500 or UDP 4500 is blocked -- and if that is the case, one would expect that TCP 10000 may well be blocked as well. |
Re: PIX and VPN over TCP
In article <txxKh.17721$CZ4.10259@reader1.news.saunalahti.fi> ,
Jyri Korhonen <korhojy@POISSPAMMIThotmail.com> wrote: >"Krzysztof" <nosmap@nosmap.nospam> wrote: >> Could someone tell me how to configure PIX (515E) to use this option (or >isakmp nat-traversal 20 >http://www.cisco.com/univercd/cc/td/....htm#wp1027312 >Note that PIX can do nat-traversal only with UDP and >using a fixed port 4500. That is true for PIX 6.3, which the url you give is for ("v_63"), but I seem to recall reading that there is are more tunneling options for PIX 7.x, which a 515E might be running. |
Re: PIX and VPN over TCP
On 2007-03-16 15:11, Walter Roberson wrote:
> In article <ete76c$cvl$1@news.onet.pl>, Krzysztof <nosmap@nosmap.nospam> wrote: >> My company is usig PIX firewall, and mobile user use Cisco VPN Client, to be >> able to connect with our network while they are on the road. Problem is, >> that in many places mobile users can connect to internet, but via device >> with NAT and without NAT-T. Ofcourse in such a case they could not establish >> VPN tunel. > > It doesn't matter that they are going through devices that do not > have NAT-T: the VPN client itself will do NAT-T. If the PIX has > NAT-T enabled and the VPN clients are having problems getting > through, then the implication is that UDP 500 or UDP 4500 is blocked -- > and if that is the case, one would expect that TCP 10000 may well > be blocked as well. Yes, but You can change the port with isakmp ipsec-over-tcp port <port> command. -- Micha³ Iwaszko |
Re: PIX and VPN over TCP
Hi!
Hmm! It seem that you guys are right - this not NAT-T problem, as I have already turned it on with "isakmp nat-traversal 20". It may be due to blocking UDP ports. >> It doesn't matter that they are going through devices that do not >> have NAT-T: the VPN client itself will do NAT-T. If the PIX has >> NAT-T enabled and the VPN clients are having problems getting >> through, then the implication is that UDP 500 or UDP 4500 is blocked -- >> and if that is the case, one would expect that TCP 10000 may well >> be blocked as well. > > Yes, but You can change the port with isakmp ipsec-over-tcp port <port> > command. but Jyri has said: > Note that PIX can do nat-traversal only with UDP and > using a fixed port 4500. So, could I configure my PIX to use only one TCP or UDP port (preferable using one of "well known port") or not? Krzysztof |
Re: PIX and VPN over TCP
On 2007-03-16 15:33, Krzysztof wrote:
>> Note that PIX can do nat-traversal only with UDP and >> using a fixed port 4500. > > So, could I configure my PIX to use only one TCP or UDP port (preferable > using one of "well known port") or not? The command I wrote works well on ASA and I forgot to add it to the previous post :-). Take a look at a PIX Configuration Guide and a Command Reference for Your OS version - It's all there. -- Micha³ Iwaszko |
Re: PIX and VPN over TCP
Hi!
> Take a look at a PIX Configuration Guide and a > Command Reference for Your OS version - It's all there. There is no "isakmp ipsec-over-tcp port" command or anything similar, so final conclusion is: I CAN'T change TCP/UDP ports used by PIX for IPSec tunnels :-( (I have version 6.3) Best Regards: Krzysztof |
| All times are GMT. The time now is 06:24 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.