--- On Wed, 2/17/10, Chuck Swiger <cswi...@mac.com> wrote:

From: Chuck Swiger <cswi...@mac.com>
Subject: Re: FreeBSD to Cisco ASA 5505 VPN Connection
To: "Bill Tillman" <btillma...@yahoo.com>
Cc: freebsd-questions@freebsd.org
Date: Wednesday, February 17, 2010, 5:17 PM


On Feb 17, 2010, at 3:06 PM, Bill Tillman wrote:
> The tech told me that I need to forward ports 500 and 4500 with my FreeBSD 
> router to the small VPN router inside my LAN. That's simple enought but then 
> he tells me I need to redirect all EPS and all AH traffic as well. I guess 
> this is where FreeBSD+NATD+IPFW hits the wall when working with Cisco or is 
> it? I gotta believe this can work but I don't know how the heck to do it and 
> the tech at our IT consultant is totally lost when it comes to anything 
> besides Cisco equipment.
> Has anyone got a suggestion on how to do a port redirect with natd to pickup 
> these EPS and AH packets. I added some new lines to my /etc/natd.conf file 
> and the AH part seemed ok but the console screen immediately said what the 
> heck is EPS. And worse it did not work. Only when I put the VPN router 
> outside of my existing router does this setup work. I really want to keep 
> this thing inside my LAN or even better would be how do I get my existing 
> router to work as a VPN on it's own?

When I was dealing with the Cisco VPN client, I was doing so with IPFW+natd and 
you need 500/udp, 4500/udp, 62515/udp, 1723/tcp, 10000/tcp, and the GRE 
protocol.  In my case, /etc/natd.conf contained:

punch_fw 10000:100
redirect_proto gre
redirect_port udp 500
redirect_port udp 4500
redirect_port udp 62515
redirect_port tcp 10000
redirect_port tcp pptp

...to send the traffic to a VPN endpoint located at IP


Thanks for everyone's valuable input on this. I'm still new to all this 
protocol and port forwarding topics.
As I see it, in the /etc/protocols file they list esp, ah and gre
so I would need all of this in my /etc/natd.conf like this:
punch_fw 10000:100
redirect_proto gre
redirect_proto esp
redirect_proto ah
redirect_port udp 500
redirect_port udp 4500
redirect_port udp 62515
redirect_port tcp 10000
redirect_port tcp pptp

The VPN router inside my LAN is Then I added these rules to my ipfw 
rule set:
ipfw add allow udp from any to any 500
ipfw add allow udp from any to any 4500
ipfw add allow udp from any to any 62515
ipfw add allow tcp from any to any 10000
ipfw add allow tcp from any to any 1723

The VPN router makes the connection to the other Cisco router but the phone 
still does not work. I turned the firewall in my VPN router off but still no 
go. This only works when I place the VPN router upstream of my router so it's 
got to be something in my FreeBSD router which is not letting the traffic 
through. I've been checking my /var/log/security file but don't see anything 
being blocked that's related to this.

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to