VPN, from nat without VPN to nat with it

Discussion in 'Cisco' started by Allan Wilson, Jul 5, 2004.

  1. Allan Wilson

    Allan Wilson Guest

    Hi,

    I am not a Cisco PIX guru, I just need to know if something is
    possible ;-)

    On a central site, I'd have a PIX 515 with VPN. On remote sites, a lot
    of PIX 506 with VPN capabilities too.

    Is it possible to do so.

    On the central site, we'd use real IP addressing for the servers. Ie,
    195.238.10.0/26 with .1 for the firewall, ,2, .3, .4 for the servers.

    On the renote site, we have most of the time a Private Network
    according to the RFC hide-nated to the IP of the external interface of
    the firewall.

    So, now, the RFC hide-nated networks get the external Ip of the PIX
    506 firewall if the need to get into 195.238.10.0/26. It works ok.

    Now, for security reasons, we'd need to have the nated data flow to be
    VPN encrypted and auth.

    What to add into the PIX 506 and PIX 515 to achieve so?

    Thank you,

    Allan
     
    Allan Wilson, Jul 5, 2004
    #1
    1. Advertisements

  2. In article <>,
    Allan Wilson <> wrote:
    :On a central site, I'd have a PIX 515 with VPN. On remote sites, a lot
    :eek:f PIX 506 with VPN capabilities too.

    :Is it possible to do so.

    :On the central site, we'd use real IP addressing for the servers. Ie,
    :195.238.10.0/26 with .1 for the firewall, ,2, .3, .4 for the servers.

    :On the renote site, we have most of the time a Private Network
    :according to the RFC hide-nated to the IP of the external interface of
    :the firewall.

    :So, now, the RFC hide-nated networks get the external Ip of the PIX
    :506 firewall if the need to get into 195.238.10.0/26. It works ok.

    :Now, for security reasons, we'd need to have the nated data flow to be
    :VPN encrypted and auth.

    :What to add into the PIX 506 and PIX 515 to achieve so?

    If the data is going through a VPN to the remote PIX, it is
    always encrypted, using the transform chosen negotiated between
    the two PIXes as the first one in ocmmon between the two
    crypto map transform lists. IPSec does in theory allow for a null
    encryption, but the PIX does not give you a way to specify null
    encryption, so you cannot get the PIX to use an unencrypted tunnel
    even if you wanted to.


    For authentication, what you should do is enable isakmp nat-traversal
    on both PIX (requires 6.3(3)) and then include an ah transform in
    the transform set; you will also need to ensure that UDP 4500 is open
    all the way between the two PIXes.

    There is, though, a logical inconsistancy between doing NAT and
    expecting to be able to do IP authentication (AH), so it is not clear
    to me what you expect the AH to do for you in terms of security.
    Usually, if you want authentication to be taking place, then you are
    not deliberately NAT'ing the traffic, at least not at the PIX level.
    nat-traversal is really for the case where something downstream
    beyond the PIX is NAT'ing. If you want AH, you would normally use
    nat 0 access-list to allow the internal IP addresses to be seen
    by the remote side. [This does, though, require that you have
    a different private IP address range for each remote site.]
    --
    And the wind keeps blowing the angel / Backwards into the future /
    And this wind, this wind / Is called / Progress.
    -- Laurie Anderson
     
    Walter Roberson, Jul 5, 2004
    #2
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. Jeremy

    PIX 515 : with AND without NAT

    Jeremy, Jan 10, 2004, in forum: Cisco
    Replies:
    1
    Views:
    1,615
    scott enwright
    Jan 11, 2004
  2. Andrew Albert
    Replies:
    1
    Views:
    4,449
    Rod Dorman
    Feb 8, 2005
  3. Tomi
    Replies:
    3
    Views:
    2,212
  4. L Mehl
    Replies:
    13
    Views:
    3,469
    L Mehl
    Sep 30, 2003
  5. 1-Twitch
    Replies:
    5
    Views:
    2,156
    redwackett
    Apr 23, 2009
  6. The Old Timer
    Replies:
    5
    Views:
    547
    Paul Heslop
    Oct 26, 2003
  7. cowboyz
    Replies:
    1
    Views:
    667
  8. Lawrence D'Oliveiro
    Replies:
    11
    Views:
    1,317
    victor
    Aug 17, 2009
Loading...