IPSec/PAT through PIX 6.3(3) to remote endpoint

Discussion in 'Cisco' started by Jean Henchey, Feb 23, 2005.

  1. Jean Henchey

    Jean Henchey Guest

    I have users inside of a corporate network who are trying to VPN into a
    remote network. The topology looks like this

    Nortel Client (PAT) ---- PIX ------ Internet ---- Nortel VPN Server

    We know if we drop out the PIX, the client can successfully connect to
    the nortel switch.

    I should also note the nortel client is preconfigured to use a
    nonstandard port (not 10000) if it needs to use ESP encapsulation.

    The PIX is configured with access-lists to explicity identify which
    subnets are allowed to use the nortel client and which destination they
    may use (ie the nortel vpn server IP only).


    I know that you can usually make a VPN client work from behind a PIX if
    (1) You're using NAT and assign a static IP on the outside for each
    client workstation or (2) You're using PAT and only 1 client connects
    outwards at a time (due to the nature of ESP).

    What happens if you have multiple clients on your network which need to
    connect to that external VPN and you're using PAT?

    I have tried enabling nat-traversal and it didn't work. I've also tried
    explicitly allowing udp 500 and the nonstandard port to pass traffic...
    After making these changes, I was sure to clear the xlate. The odd
    aspect of this is that sometimes the clients will work and other times
    they won't, without any configuration changes to the PIX. For example,
    I had a dozen VPN clients (in a classroom) sucessfully connected to the
    nortel vpn server, and suddenly no additional workstations could
    connect. So, I stopped and tried to re-initate the vpn connection on
    the dozen workstations -- they wouldn't re-connect to the remote
    network. It is just the strangest thing.

    It seems IOS 12.2(13)T and newer are supposed to support this feature,
    but not PIX?

    We've tried calling Cisco and the tech was of no help at all.

    Has anyone tried this before? What worked? Did you notice any
    instabilities in the PIX when passing IPSec traffic?

    Any help would be greatly appreciated.

    Thanks,

    Jean
     
    Jean Henchey, Feb 23, 2005
    #1
    1. Advertisements

  2. Jean Henchey

    Iskander Guest

    For ESP, IP protocol (not port!!) 50 should be open on the PIX..
     
    Iskander, Feb 23, 2005
    #2
    1. Advertisements

  3. Jean Henchey

    Jean Henchey Guest

    Iskander said the following on 2/23/2005 5:04 PM:
    From what the documentation shows, it doesn't appear ESP will work
    through the PIX with PAT. Is that true?

    It seems like a proper router (not PIX) support IPSec over PAT.

    I'm not trying to say that ESP uses port 50. The authentication piece
    of ipsec uses udp/500 on both ends. The tunnel obviously is ESP over
    protocol 50. Failing that, nat-traversal should come into play. In our
    case, we dump the packets into traffic to a high port on the nortel vpn
    server.

    Has anyone gotten a tunnel to pass through PIX, using PAT on the
    internal/originating network?

    Jean
     
    Jean Henchey, Feb 25, 2005
    #3
  4. : From what the documentation shows, it doesn't appear ESP will work
    :through the PIX with PAT. Is that true?

    It will if you have NAT-T, and otherwise it will work for at most
    1 host: with more than that, the return ESP packets will not be
    redistributable to the proper internal hosts.

    :It seems like a proper router (not PIX) support IPSec over PAT.

    I don't know what you mean by "proper router", but it is an
    inherent problem with the protocol: it just doesn't -have- ports
    that can be mapped. There is some work being done around making
    use of one of the fields within the ESP packet, but I haven't
    heard of that being implimented yet in IOS or PIX.


    :I'm not trying to say that ESP uses port 50. The authentication piece
    :eek:f ipsec uses udp/500 on both ends. The tunnel obviously is ESP over
    :protocol 50.

    Protocol 50 -is- ESP: a protocol 50 packet -is- an ESP packet.


    :Has anyone gotten a tunnel to pass through PIX, using PAT on the
    :internal/originating network?

    Yes, but only because you weren't ultra careful with the phrasing of the
    question ;-)

    I have a PIX 501 with a single public IP, so I'm doing PAT
    on that, the originating network. I have tunnels to a couple of
    PIXes, one of which is "inside" another, with static NAT on the
    outer PIX towards the inner. Thus I have gotten an IPSec tunnel
    to pass through a PIX, and originating network is using PAT, so
    the terms of the question are satisfied. But No, I don't have
    an ESP IPSec tunnel passing -through- a PIX that is doing PAT with
    the IP that is the tunnel endpoint: you just can't do that with
    ESP, and that's why NAT-T is used. If the endpoints use NAT-T
    then as long as UDP 500 and UDP 450 can make it through (both
    of which can be PAT'd) then you can pass the tunnel through PAT
    devices.
     
    Walter Roberson, Feb 25, 2005
    #4
  5. Jean Henchey

    Iskander Guest

    : ESP, and that's why NAT-T is used. If the endpoints use NAT-T
    : then as long as UDP 500 and UDP 450 can make it through (both
    : of which can be PAT'd) then you can pass the tunnel through PAT

    Make that UDP 500 and UDP 4500
    UDP 500 is for IKE and UDP 4500 is for NAT-T
     
    Iskander, Feb 25, 2005
    #5
  6. Jean Henchey

    Jean Henchey Guest

    Iskander said the following on 2/25/2005 3:03 AM:
    If I'm doing ESP encapsulation, do I need to enable nat-t in the pix?
     
    Jean Henchey, Feb 25, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.