>From: "Crist J. Clark" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: Vadim Pushkin <[EMAIL PROTECTED]> >CC: [EMAIL PROTECTED] >Subject: Re: Need Help with Cisco sw VPN behind IpFilter/OpenBSD >Date: Tue, 13 Aug 2002 22:24:44 -0700 > >On Tue, Aug 13, 2002 at 04:37:19AM +0000, Vadim Pushkin wrote: > > > > I run latest ipfilter 3.4.28 on openbsd 3.1 > > I need to allow vpn (software) client to work. > > >> > 00:16:35.920748 vpn.XXX.net > 204.177.198.17: icmp: host >>XXX-net-IP-ADDR > > unreachable - admin prohibited filter > > > > Notice that vpn.XXX.net (fictitous) shows hostname at first, then IP > > addr, > >No, I don't notice this. Each of those lines looks the same to me. > > > any reason for this? How must I > > configure ipf.rules and/or ipnat.rules to make my > > internal vpn clients work with Cisco 3000 Concentrator > > and Cisco software on client machine? > > > > I am new to ipfilter but I read alot on mailing list archives and find >no > > answer. > >Who is behind the firewall, the clients or the concentrator? Are you >doing NAT? All you should need to open if you are not doing NAT is >protocol ESP and UDP port 500. If you are doing NAT, switch on the >Cisco's (yuck) UDP encapsulation, and pass that through the firewall.
Yes, I am doing NAT. HOw do I switch on Ciscos UDP encap? Is this within my own OpenBSD/Ipfilter firewall? Or on the Cisco concentrator? I have no access to the concentrator. Thank you very much for your reply and hopefully you can shed some light onto this problem for me? Here are my ipf.rules and ipnat.rules: # sis0 is my outside interface IP is 204.177.198.17/32 # sis1 is my internal interface network is 192.168.1.0/24 # I am natting on my OpenBSD/IpFilter Firewall. pass out quick on lo0 pass in quick on lo0 block in log quick on sis0 from 172.16.0.0/12 to any block in log quick on sis0 from 10.0.0.0/8 to any block in log quick on sis0 from 127.0.0.0/8 to any block in log quick on sis0 from 0.0.0.0/8 to any block in log quick on sis0 from 169.254.0.0/16 to any block in log quick on sis0 from 192.0.2.0/24 to any block in log quick on sis0 from 204.152.64.0/23 to any block in log quick on sis0 from 224.0.0.0/3 to any block in log quick on sis0 from 20.20.20.0/24 to any # Anti-OS FingerPrinting. block out quick on sis0 proto tcp from any to any flags FUP block out quick on sis0 proto tcp from any to any flags SF/SFRA block out quick on sis0 proto tcp from any to any flags /SFRA # pass in quick on sis0 proto tcp from any to any flags S keep state pass in quick on sis0 proto udp from any to any keep state pass in quick on sis0 proto icmp from any to any keep state # pass out quick on sis1 proto icmp all icmp-type 0 pass out quick on sis1 proto icmp all icmp-type 3 pass out quick on sis1 proto icmp all icmp-type 11 # SMTP IN-bound pass in quick on sis0 proto tcp from any to any port = 25 flags S/SA keep state # pass in quick on sis0 proto tcp from any to any port = 29204 flags S/SA keep state # block in log quick on sis0 proto tcp all flags S/SA block out log quick on sis0 proto tcp all flags SA/SA # # 204.177.198.17 is my sis0/Outside interface # pass in on sis0 proto any from vpn.XXX.net/32 to 204.177.198.17/32 # # Below rules are in IP address format, made them into hostnames # to make it easier to read. # pass in on sis0 proto udp from vpn.XXX.net/32 port = 10000 to 204.177.198.17/32 port = 10000 pass in on sis0 proto udp from vpn.XXX.net/32 port = 500 to 204.177.198.17/32 port = 500 # # 192.168.1.0 is my Unnatted/internal network. # pass in proto esp from vpn.XXX.net/32 to 192.168.1.0/24 pass out proto esp from 192.168.1.0/24 to vpn.XXX.net/32 # block out on sis1 proto tcp all flags S/SA block out on sis1 proto icmp all IPNAT.RULES: map sis0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp map sis0 192.168.1.0/24 -> 0/32 portmap tcp/udp 10000:30000 map sis0 192.168.1.0/24 -> 0/32 # # 192.168.1.101 is my internal host that is a VPN client # rdr sis0 24.188.199.17/32 port 500 -> 192.168.1.100 port 500 rdr sis0 24.188.199.17/32 port 10000 -> 192.168.1.100 port 10000 -vadim Vadim (Ukranian Stallion) Pushkin _________________________________________________________________ Join the world�s largest e-mail service with MSN Hotmail. http://www.hotmail.com
