VPN with Cisco PIX 506E through firewalls - port question

Discussion in 'Cisco' started by aether8203@yahoo.com, May 2, 2005.

  1. Guest

    Goal: Allow telecommuters at home to VPN into the protected network.

    Internet traffic to our office goes through 2 Sidewinder firewalls
    before even hitting our Sidewinder firewall (yes - 3 firewalls). On
    our firewall, we have partioned a port for our DMZ and allowed inbound
    UDP500 and UDP10000. Upstream, the firewalls have the same rule.

    My question is do you have to have inbound AND outbound traffic on
    those two ports?

    Reason: Using Cisco VPN Client 4.6, we can "connect and authenticate",
    but looking at the statistics, we have thousands of bytes sent out but
    ZERO bytes received. To me it looks like the upstream firewall is
    blocking the handshaking or whatever goes on between a PIX and a
    client.

    Thanks all,
    Sean
     
    , May 2, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :Goal: Allow telecommuters at home to VPN into the protected network.

    :Internet traffic to our office goes through 2 Sidewinder firewalls
    :before even hitting our Sidewinder firewall (yes - 3 firewalls). On
    :eek:ur firewall, we have partioned a port for our DMZ and allowed inbound
    :UDP500 and UDP10000. Upstream, the firewalls have the same rule.

    I seem to have missed out on where the PIX is in this sequence?

    :My question is do you have to have inbound AND outbound traffic on
    :those two ports?

    :Reason: Using Cisco VPN Client 4.6, we can "connect and authenticate",
    :but looking at the statistics, we have thousands of bytes sent out but
    :ZERO bytes received. To me it looks like the upstream firewall is
    :blocking the handshaking or whatever goes on between a PIX and a
    :client.

    Turn on isakmp nat-traversal on the PIX, then turn off UDP10000,
    and open up UDP 4500. There is some dynamic port negotiation after that
    that you might have to allow for on the other firewalls.
    --
    Would you buy a used bit from this man??
     
    Walter Roberson, May 2, 2005
    #2
    1. Advertising

  3. Guest

    Goes like this:

    =========
    = Internet =
    =========
    |-----> Firewall 1
    |-------> Firewall 2
    |----------> Our Firewall
    / \
    / \
    Internal DMZ (with PIX here)

    Since we have to go through a long paperwork process for opening a port
    in Firewall 1 and 2, is there any steadfast rule for VPN communication
    to a PIX? When you mention "dynamic port negotiation", what port does
    that translate to (or does it)?
     
    , May 2, 2005
    #3
  4. In article <>,
    <> wrote:
    :Since we have to go through a long paperwork process for opening a port
    :in Firewall 1 and 2, is there any steadfast rule for VPN communication
    :to a PIX?

    If all the IP address translation from outside to inside is 1-to-1,
    then you can use:

    ESP (IP protocol 50)
    isakmp (UDP port 500)

    If you want to add AH (authentication header) to such a situation,
    the public IP of the PIX must match the IP as known to the other
    side, and you would need IP Protocol 51 (AH.)


    : When you mention "dynamic port negotiation", what port does
    :that translate to (or does it)?

    If nat-traversal is turned on, which is required to deal with
    IP translation that is not 1-to-1, and required if you want to
    get AH through a non-identity IP translation, then UDP 4500 is used
    after UDP 500, and if NAT is detected then the next UDP port number
    in sequence in the "dynamic" range (> 1023) is used -- a different
    port each time. I do not clearly recall the details now, but
    I think the dynamic port is a -source- port, always used to the
    fixed port 4500 on the other end. (This process is done
    independantly for the two directions, so each is sending to 4500.)
    --
    "Mathematics? I speak it like a native." -- Spike Milligan
     
    Walter Roberson, May 2, 2005
    #4
  5. Guest

    Last Question:

    When you say "open up" a port, do you mean both incoming and outgoing
    through the Firewalls? The "powers" above us have very strict
    procedures and I want to make sure I ask correctly.

    Thanks very much for your help!
     
    , May 2, 2005
    #5
  6. In article <>,
    <> wrote:
    :When you say "open up" a port, do you mean both incoming and outgoing
    :through the Firewalls?

    UDP 500 -- needed in both directions. 500 will be the source and
    destination for this flow -- port 500 to port 500.

    UDP 4500 -- if you are using NAT-T, needed in both directions
    I seem to recall that 4500 is the source and destination port during NAT-T
    negotiations, but I could be wrong. If NAT-T is activated, then
    4500 becomes the destination (outgoing) port for each side,
    with a {different} dynamic (> 1023) port as the source port for each
    side. Dynamic source ports is the normal mode of operation of all kinds
    of TCP/UDP protocols, so this dynamic nature should not require any special
    configuration.

    IP 50 (ESP) -- needed in both directions if NAT-T is off or if NAT-T
    detects that there is no NAT (no point encapsulating
    if you don't need to). There is no port number for ESP.
    --
    'The short version of what Walter said is "You have asked a question
    which has no useful answer, please reconsider the nature of the
    problem you wish to solve".' -- Tony Mantler
     
    Walter Roberson, May 3, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    2
    Views:
    2,701
  2. John Balch
    Replies:
    3
    Views:
    740
    John Balch
    Sep 24, 2004
  3. Terry

    MS VPN out through PIX 506e

    Terry, Dec 7, 2004, in forum: Cisco
    Replies:
    3
    Views:
    924
    Terry
    Dec 8, 2004
  4. Kai
    Replies:
    0
    Views:
    7,653
  5. RickH

    VPN Access through Pix 506E

    RickH, Sep 12, 2006, in forum: Cisco
    Replies:
    1
    Views:
    522
    Brian V
    Sep 12, 2006
Loading...

Share This Page