PIX and VPN over TCP

Discussion in 'Cisco' started by Krzysztof, Mar 16, 2007.

  1. Krzysztof

    Krzysztof Guest

    Hi to all!

    I need an advice and maybe someone of you could help ...

    My company is usig PIX firewall, and mobile user use Cisco VPN Client, to be
    able to connect with our network while they are on the road. Problem is,
    that in many places mobile users can connect to internet, but via device
    with NAT and without NAT-T. Ofcourse in such a case they could not establish
    VPN tunel.
    However Cisco VPN Client has an option "Enable transparent Tunneling" (with
    setting "IPSec over UDP (NAT/PAT)" and "IPSec over TCP").

    Could someone tell me how to configure PIX (515E) to use this option (or
    point me to appropriate doc)? Is this option at all supported on PIX? I have
    found only information regarding configuring this option with Cisco VPN
    concentrator.

    Thank you in advance for any answer

    Krzysztof
    Krzysztof, Mar 16, 2007
    #1
    1. Advertising

  2. "Krzysztof" <> wrote:

    > However Cisco VPN Client has an option "Enable transparent Tunneling" (with
    > setting "IPSec over UDP (NAT/PAT)" and "IPSec over TCP").
    >
    > Could someone tell me how to configure PIX (515E) to use this option (or
    > point me to appropriate doc)? Is this option at all supported on PIX? I have
    > found only information regarding configuring this option with Cisco VPN
    > concentrator.


    isakmp nat-traversal 20

    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312

    Note that PIX can do nat-traversal only with UDP and
    using a fixed port 4500.
    Jyri Korhonen, Mar 16, 2007
    #2
    1. Advertising

  3. In article <ete76c$cvl$>, Krzysztof <> wrote:
    >My company is usig PIX firewall, and mobile user use Cisco VPN Client, to be
    >able to connect with our network while they are on the road. Problem is,
    >that in many places mobile users can connect to internet, but via device
    >with NAT and without NAT-T. Ofcourse in such a case they could not establish
    >VPN tunel.


    It doesn't matter that they are going through devices that do not
    have NAT-T: the VPN client itself will do NAT-T. If the PIX has
    NAT-T enabled and the VPN clients are having problems getting
    through, then the implication is that UDP 500 or UDP 4500 is blocked --
    and if that is the case, one would expect that TCP 10000 may well
    be blocked as well.
    Walter Roberson, Mar 16, 2007
    #3
  4. In article <txxKh.17721$>,
    Jyri Korhonen <> wrote:
    >"Krzysztof" <> wrote:
    >> Could someone tell me how to configure PIX (515E) to use this option (or


    >isakmp nat-traversal 20


    >http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312


    >Note that PIX can do nat-traversal only with UDP and
    >using a fixed port 4500.


    That is true for PIX 6.3, which the url you give is for ("v_63"),
    but I seem to recall reading that there is are more tunneling
    options for PIX 7.x, which a 515E might be running.
    Walter Roberson, Mar 16, 2007
    #4
  5. On 2007-03-16 15:11, Walter Roberson wrote:
    > In article <ete76c$cvl$>, Krzysztof <> wrote:
    >> My company is usig PIX firewall, and mobile user use Cisco VPN Client, to be
    >> able to connect with our network while they are on the road. Problem is,
    >> that in many places mobile users can connect to internet, but via device
    >> with NAT and without NAT-T. Ofcourse in such a case they could not establish
    >> VPN tunel.

    >
    > It doesn't matter that they are going through devices that do not
    > have NAT-T: the VPN client itself will do NAT-T. If the PIX has
    > NAT-T enabled and the VPN clients are having problems getting
    > through, then the implication is that UDP 500 or UDP 4500 is blocked --
    > and if that is the case, one would expect that TCP 10000 may well
    > be blocked as well.


    Yes, but You can change the port with isakmp ipsec-over-tcp port <port>
    command.


    --
    Micha³ Iwaszko
    =?ISO-8859-2?Q?Micha=B3_Iwaszko?=, Mar 16, 2007
    #5
  6. Krzysztof

    Krzysztof Guest

    Hi!

    Hmm! It seem that you guys are right - this not NAT-T problem, as I have
    already turned it on with "isakmp nat-traversal 20". It may be due to
    blocking UDP ports.

    >> It doesn't matter that they are going through devices that do not
    >> have NAT-T: the VPN client itself will do NAT-T. If the PIX has
    >> NAT-T enabled and the VPN clients are having problems getting
    >> through, then the implication is that UDP 500 or UDP 4500 is blocked --
    >> and if that is the case, one would expect that TCP 10000 may well
    >> be blocked as well.

    >
    > Yes, but You can change the port with isakmp ipsec-over-tcp port <port>
    > command.


    but Jyri has said:

    > Note that PIX can do nat-traversal only with UDP and
    > using a fixed port 4500.


    So, could I configure my PIX to use only one TCP or UDP port (preferable
    using one of "well known port") or not?

    Krzysztof
    Krzysztof, Mar 16, 2007
    #6
  7. On 2007-03-16 15:33, Krzysztof wrote:
    >> Note that PIX can do nat-traversal only with UDP and
    >> using a fixed port 4500.

    >
    > So, could I configure my PIX to use only one TCP or UDP port (preferable
    > using one of "well known port") or not?


    The command I wrote works well on ASA and I forgot to add it to the
    previous post :). Take a look at a PIX Configuration Guide and a
    Command Reference for Your OS version - It's all there.


    --
    Micha³ Iwaszko
    =?ISO-8859-2?Q?Micha=B3_Iwaszko?=, Mar 16, 2007
    #7
  8. Krzysztof

    Krzysztof Guest

    Hi!

    > Take a look at a PIX Configuration Guide and a
    > Command Reference for Your OS version - It's all there.


    There is no "isakmp ipsec-over-tcp port" command or anything similar, so
    final conclusion is:
    I CAN'T change TCP/UDP ports used by PIX for IPSec tunnels :-( (I have
    version 6.3)

    Best Regards:

    Krzysztof
    Krzysztof, Mar 16, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,726
    Martin Bilgrav
    Feb 6, 2004
  2. Kevin
    Replies:
    1
    Views:
    742
    Walter Roberson
    Nov 10, 2004
  3. vertigo
    Replies:
    0
    Views:
    2,726
    vertigo
    Jun 29, 2006
  4. Pavel Aronovich
    Replies:
    0
    Views:
    502
    Pavel Aronovich
    Feb 22, 2004
  5. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    783
    Theo Markettos
    Feb 14, 2008
Loading...

Share This Page