VPN, from nat without VPN to nat with it

Discussion in 'Cisco' started by Allan Wilson, Jul 5, 2004.

  1. Allan Wilson

    Allan Wilson Guest

    Hi,

    I am not a Cisco PIX guru, I just need to know if something is
    possible ;-)

    On a central site, I'd have a PIX 515 with VPN. On remote sites, a lot
    of PIX 506 with VPN capabilities too.

    Is it possible to do so.

    On the central site, we'd use real IP addressing for the servers. Ie,
    195.238.10.0/26 with .1 for the firewall, ,2, .3, .4 for the servers.

    On the renote site, we have most of the time a Private Network
    according to the RFC hide-nated to the IP of the external interface of
    the firewall.

    So, now, the RFC hide-nated networks get the external Ip of the PIX
    506 firewall if the need to get into 195.238.10.0/26. It works ok.

    Now, for security reasons, we'd need to have the nated data flow to be
    VPN encrypted and auth.

    What to add into the PIX 506 and PIX 515 to achieve so?

    Thank you,

    Allan
    Allan Wilson, Jul 5, 2004
    #1
    1. Advertising

  2. In article <>,
    Allan Wilson <> wrote:
    :On a central site, I'd have a PIX 515 with VPN. On remote sites, a lot
    :eek:f PIX 506 with VPN capabilities too.

    :Is it possible to do so.

    :On the central site, we'd use real IP addressing for the servers. Ie,
    :195.238.10.0/26 with .1 for the firewall, ,2, .3, .4 for the servers.

    :On the renote site, we have most of the time a Private Network
    :according to the RFC hide-nated to the IP of the external interface of
    :the firewall.

    :So, now, the RFC hide-nated networks get the external Ip of the PIX
    :506 firewall if the need to get into 195.238.10.0/26. It works ok.

    :Now, for security reasons, we'd need to have the nated data flow to be
    :VPN encrypted and auth.

    :What to add into the PIX 506 and PIX 515 to achieve so?

    If the data is going through a VPN to the remote PIX, it is
    always encrypted, using the transform chosen negotiated between
    the two PIXes as the first one in ocmmon between the two
    crypto map transform lists. IPSec does in theory allow for a null
    encryption, but the PIX does not give you a way to specify null
    encryption, so you cannot get the PIX to use an unencrypted tunnel
    even if you wanted to.


    For authentication, what you should do is enable isakmp nat-traversal
    on both PIX (requires 6.3(3)) and then include an ah transform in
    the transform set; you will also need to ensure that UDP 4500 is open
    all the way between the two PIXes.

    There is, though, a logical inconsistancy between doing NAT and
    expecting to be able to do IP authentication (AH), so it is not clear
    to me what you expect the AH to do for you in terms of security.
    Usually, if you want authentication to be taking place, then you are
    not deliberately NAT'ing the traffic, at least not at the PIX level.
    nat-traversal is really for the case where something downstream
    beyond the PIX is NAT'ing. If you want AH, you would normally use
    nat 0 access-list to allow the internal IP addresses to be seen
    by the remote side. [This does, though, require that you have
    a different private IP address range for each remote site.]
    --
    And the wind keeps blowing the angel / Backwards into the future /
    And this wind, this wind / Is called / Progress.
    -- Laurie Anderson
    Walter Roberson, Jul 5, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lutz Donnerhacke

    Re: PIX without NAT

    Lutz Donnerhacke, Jul 8, 2003, in forum: Cisco
    Replies:
    4
    Views:
    8,372
    Michael Hatzis
    Jul 10, 2003
  2. Jeremy

    PIX 515 : with AND without NAT

    Jeremy, Jan 10, 2004, in forum: Cisco
    Replies:
    1
    Views:
    497
    scott enwright
    Jan 11, 2004
  3. Gary
    Replies:
    2
    Views:
    2,056
  4. Replies:
    0
    Views:
    594
  5. Jason

    Pix without NAT?

    Jason, Jul 8, 2005, in forum: Cisco
    Replies:
    5
    Views:
    1,957
    Jason
    Jul 8, 2005
Loading...

Share This Page