Pix to Pix tunnel through NAT

Discussion in 'Cisco' started by Jose Ros, Oct 19, 2004.

  1. Jose Ros

    Jose Ros Guest

    Can I do a pix to pix ipsec tunnel like this?
    PIX----NAT_device----INTERNET----PIX
     
    Jose Ros, Oct 19, 2004
    #1
    1. Advertising

  2. Jose Ros

    mcaissie Guest

    "Jose Ros" <> wrote in message
    news:...
    > Can I do a pix to pix ipsec tunnel like this?
    > PIX----NAT_device----INTERNET----PIX


    Yes,

    on the NAT_Device you will need to create a static translation for the
    internal PIX. And you will have to permit the ipsec traffic from the
    external PIX to the translated address;

    for example ;
    isakmp : udp 500
    esp: protocol 50
    ah: protocol 51
     
    mcaissie, Oct 19, 2004
    #2
    1. Advertising

  3. In article <APcdd.17163$_u6.13893@edtnps89>,
    mcaissie <> wrote:

    :"Jose Ros" <> wrote in message
    :news:...
    :> Can I do a pix to pix ipsec tunnel like this?
    :> PIX----NAT_device----INTERNET----PIX

    :Yes,

    :eek:n the NAT_Device you will need to create a static translation for the
    :internal PIX. And you will have to permit the ipsec traffic from the
    :external PIX to the translated address;

    There is another approach possible as of 6.3(2): turn on NAT traversal.
    The static translation will then only be necessary on the NAT device
    if the -other- PIX needs to be able to initiate sessions.

    If the NAT device does any filtering, then to support NAT Traversal, it
    will be necessary to allow through UDP 4500 in both directions, along
    with different dynamically-determined ports in each direction.
    --
    "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
    WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
     
    Walter Roberson, Oct 19, 2004
    #3
  4. Jose Ros

    John Smith Guest

    nothing wrong w/ previous answers, but why isn't your pix doing that
    nat'ing?

    "Jose Ros" <> wrote in message
    news:...
    > Can I do a pix to pix ipsec tunnel like this?
    > PIX----NAT_device----INTERNET----PIX
     
    John Smith, Oct 20, 2004
    #4
  5. Jose Ros

    Rik Bain Guest

    Walter Roberson wrote:
    > In article <APcdd.17163$_u6.13893@edtnps89>,
    > mcaissie <> wrote:
    >
    > :"Jose Ros" <> wrote in message
    > :news:...
    > :> Can I do a pix to pix ipsec tunnel like this?
    > :> PIX----NAT_device----INTERNET----PIX
    >
    > :Yes,
    >
    > :eek:n the NAT_Device you will need to create a static translation for the
    > :internal PIX. And you will have to permit the ipsec traffic from the
    > :external PIX to the translated address;
    >
    > There is another approach possible as of 6.3(2): turn on NAT traversal.
    > The static translation will then only be necessary on the NAT device
    > if the -other- PIX needs to be able to initiate sessions.
    >
    > If the NAT device does any filtering, then to support NAT Traversal, it
    > will be necessary to allow through UDP 4500 in both directions, along
    > with different dynamically-determined ports in each direction.


    FWIW, if both UDP/500 and UDP/4500 are statically mapped, then there
    will be no dynamic ports. All traffic will occur over 500/4500.
     
    Rik Bain, Oct 20, 2004
    #5
  6. Jose Ros

    Jose Ros Guest

    "John Smith" <> wrote in message news:<>...
    > nothing wrong w/ previous answers, but why isn't your pix doing that
    > nat'ing?
    >
    > "Jose Ros" <> wrote in message
    > news:...
    > > Can I do a pix to pix ipsec tunnel like this?
    > > PIX----NAT_device----INTERNET----PIX


    Thanks for the answers guys. The NAT device is a Radware Linkproof
    load balancing 3 ISPs. It does not do any filtering whatsoever so I
    think I'm good.
     
    Jose Ros, Oct 21, 2004
    #6
  7. Jose Ros

    an admin too Guest

    "Jose Ros" <> wrote in message
    news:...
    > "John Smith" <> wrote in message

    news:<>...
    > > nothing wrong w/ previous answers, but why isn't your pix doing that
    > > nat'ing?
    > >
    > > "Jose Ros" <> wrote in message
    > > news:...
    > > > Can I do a pix to pix ipsec tunnel like this?
    > > > PIX----NAT_device----INTERNET----PIX

    >
    > Thanks for the answers guys. The NAT device is a Radware Linkproof
    > load balancing 3 ISPs. It does not do any filtering whatsoever so I
    > think I'm good.


    We're using the Linkproof, too, and no problems with our VPN. You have to
    setup rules so that the VPN stays on the one range from one of your ISP's.
    We can connect VPN clients through the others ISP's but the point-to-points
    don't work so well. However, when if we put a 'branch' unit at the remote
    site the VPN will be load balanced. If only the pix would support peers by
    URL....

    Email me if you would like more info on my Linkproof setup. I'm very
    interested in seeing how others are using the device.
     
    an admin too, Oct 21, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,149
  2. Anand Mohabir
    Replies:
    1
    Views:
    1,212
    Johnny Routin
    Oct 22, 2004
  3. proza
    Replies:
    7
    Views:
    736
    proza
    Jan 19, 2007
  4. djoe
    Replies:
    0
    Views:
    391
  5. souletg
    Replies:
    0
    Views:
    676
    souletg
    Mar 23, 2010
Loading...

Share This Page