Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN with Cisco PIX 506E through firewalls - port question

Reply
Thread Tools

VPN with Cisco PIX 506E through firewalls - port question

 
 
aether8203@yahoo.com
Guest
Posts: n/a
 
      05-02-2005
Goal: Allow telecommuters at home to VPN into the protected network.

Internet traffic to our office goes through 2 Sidewinder firewalls
before even hitting our Sidewinder firewall (yes - 3 firewalls). On
our firewall, we have partioned a port for our DMZ and allowed inbound
UDP500 and UDP10000. Upstream, the firewalls have the same rule.

My question is do you have to have inbound AND outbound traffic on
those two ports?

Reason: Using Cisco VPN Client 4.6, we can "connect and authenticate",
but looking at the statistics, we have thousands of bytes sent out but
ZERO bytes received. To me it looks like the upstream firewall is
blocking the handshaking or whatever goes on between a PIX and a
client.

Thanks all,
Sean

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-02-2005
In article <(E-Mail Removed). com>,
<(E-Mail Removed)> wrote:
:Goal: Allow telecommuters at home to VPN into the protected network.

:Internet traffic to our office goes through 2 Sidewinder firewalls
:before even hitting our Sidewinder firewall (yes - 3 firewalls). On
ur firewall, we have partioned a port for our DMZ and allowed inbound
:UDP500 and UDP10000. Upstream, the firewalls have the same rule.

I seem to have missed out on where the PIX is in this sequence?

:My question is do you have to have inbound AND outbound traffic on
:those two ports?

:Reason: Using Cisco VPN Client 4.6, we can "connect and authenticate",
:but looking at the statistics, we have thousands of bytes sent out but
:ZERO bytes received. To me it looks like the upstream firewall is
:blocking the handshaking or whatever goes on between a PIX and a
:client.

Turn on isakmp nat-traversal on the PIX, then turn off UDP10000,
and open up UDP 4500. There is some dynamic port negotiation after that
that you might have to allow for on the other firewalls.
--
Would you buy a used bit from this man??
 
Reply With Quote
 
 
 
 
aether8203@yahoo.com
Guest
Posts: n/a
 
      05-02-2005
Goes like this:

=========
= Internet =
=========
|-----> Firewall 1
|-------> Firewall 2
|----------> Our Firewall
/ \
/ \
Internal DMZ (with PIX here)

Since we have to go through a long paperwork process for opening a port
in Firewall 1 and 2, is there any steadfast rule for VPN communication
to a PIX? When you mention "dynamic port negotiation", what port does
that translate to (or does it)?


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      05-02-2005
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
:Since we have to go through a long paperwork process for opening a port
:in Firewall 1 and 2, is there any steadfast rule for VPN communication
:to a PIX?

If all the IP address translation from outside to inside is 1-to-1,
then you can use:

ESP (IP protocol 50)
isakmp (UDP port 500)

If you want to add AH (authentication header) to such a situation,
the public IP of the PIX must match the IP as known to the other
side, and you would need IP Protocol 51 (AH.)


: When you mention "dynamic port negotiation", what port does
:that translate to (or does it)?

If nat-traversal is turned on, which is required to deal with
IP translation that is not 1-to-1, and required if you want to
get AH through a non-identity IP translation, then UDP 4500 is used
after UDP 500, and if NAT is detected then the next UDP port number
in sequence in the "dynamic" range (> 1023) is used -- a different
port each time. I do not clearly recall the details now, but
I think the dynamic port is a -source- port, always used to the
fixed port 4500 on the other end. (This process is done
independantly for the two directions, so each is sending to 4500.)
--
"Mathematics? I speak it like a native." -- Spike Milligan
 
Reply With Quote
 
aether8203@yahoo.com
Guest
Posts: n/a
 
      05-02-2005
Last Question:

When you say "open up" a port, do you mean both incoming and outgoing
through the Firewalls? The "powers" above us have very strict
procedures and I want to make sure I ask correctly.

Thanks very much for your help!

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      05-02-2005
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
:When you say "open up" a port, do you mean both incoming and outgoing
:through the Firewalls?

UDP 500 -- needed in both directions. 500 will be the source and
destination for this flow -- port 500 to port 500.

UDP 4500 -- if you are using NAT-T, needed in both directions
I seem to recall that 4500 is the source and destination port during NAT-T
negotiations, but I could be wrong. If NAT-T is activated, then
4500 becomes the destination (outgoing) port for each side,
with a {different} dynamic (> 1023) port as the source port for each
side. Dynamic source ports is the normal mode of operation of all kinds
of TCP/UDP protocols, so this dynamic nature should not require any special
configuration.

IP 50 (ESP) -- needed in both directions if NAT-T is off or if NAT-T
detects that there is no NAT (no point encapsulating
if you don't need to). There is no port number for ESP.
--
'The short version of what Walter said is "You have asked a question
which has no useful answer, please reconsider the nature of the
problem you wish to solve".' -- Tony Mantler
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco ASA 5510 to Cisco PIX 506E VPN Tunnel, Dropping RDP andypatterson24 Cisco 2 04-25-2008 07:41 PM
VPN Access through Pix 506E RickH Cisco 1 09-12-2006 10:54 AM
VPN Connection Problems between Cisco PIX 506E and Cisco VPN Concentrator 3005 Kai Cisco 0 02-15-2005 02:03 PM
MS VPN out through PIX 506e Terry Cisco 3 12-08-2004 08:44 PM
Cisco Pix 506E VPN to Win XP using Microsoft built in VPN Mark Cisco 2 01-06-2004 09:59 AM



Advertisments