RE: VPN and NAT
Tony, What are you using as your vpn end point, a pix / concentrator ? With the two you will need to create a static map in the nat table to direct the vpn client request to the proper device behind the nat table. you need the ike client to perform this with win 2k, I have this working into a pix vpn solution. jason -Original Message- From: Tony Russell [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 22, 2001 11:28 AM To: '[EMAIL PROTECTED]' Subject: VPN and NAT I am trying to use a vpn client to get to our corporate network. I am using a private address space and natting at my router to provide Internet access. When I try to VPN from a workstation on my LAN it fails. Has anyone gotten a Windows 2000 machine to VPN when NAT is involved. What will it take to make this work? Tony Russell Network Engineer IBEAM Broadcasting _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN and NAT
"Howard C. Berkowitz" [EMAIL PROTECTED] wrote: I have a requirement to run a VPN for remote access and NAT for the entire LAN. I would prefer to run the one or the other on the router. Does anyone have any suggestions as to which? I am also currently running BGP. My opinion is to run the VPN on the router and NAT on another box therby creating a DMZ. However the file servers will be behind the NAT. How do I get from the VPN routers - thru the firewall - to the internal file servers? What problem are you trying to solve with these technologies? We are setting up a multihomed environment with two providers (BGP) We also want remote users to have secure access into the LAN from home. (VPN). There is also a request to NAT everything on the LAN behind either a proxy server or a FW. What does the BGP do? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN and NAT
I have a requirement to run a VPN for remote access and NAT for the entire LAN. I would prefer to run the one or the other on the router. Does anyone have any suggestions as to which? I am also currently running BGP. My opinion is to run the VPN on the router and NAT on another box therby creating a DMZ. However the file servers will be behind the NAT. How do I get from the VPN routers - thru the firewall - to the internal file servers? "Howard C. Berkowitz" [EMAIL PROTECTED] wrote: What problem are you trying to solve with these technologies? "Dave Santeramo" [EMAIL PROTECTED] replied, We are setting up a multihomed environment with two providers (BGP) We also want remote users to have secure access into the LAN from home. (VPN). There is also a request to NAT everything on the LAN behind either a proxy server or a FW. OK, I see the BGP and VPN requirements. I'm still a little vague on why you want NAT -- address conservation or something else? In a multihomed routing environment, the externally visible addresss (router, DNS, etc.) really should be registered. Before commenting further on the VPN, what is your security model? Are you simply trying to protect traffic while it is in the public Internet, or on an end-to-end basis? Will this be IPsec, SSL, etc.? Do you trust the firewall/proxy to have access to all traffic in cleartext form? How do you plan to authenticate users and distribute cryptographic keys? Are your users mobile or at fixed sites? If the encryption is host-to-host (i.e., from workstation to file server), a true firewall function (whatever that is) has limited applicability. Since the firewall can't examine packet contents that it can't decrypt, you might as well use a router to provide rate limiting and martian filtering--a proxy won't work in this context. -- "What Problem are you trying to solve?" ***send Cisco questions to the list, so all can benefit -- not directly to me*** Howard C. Berkowitz [EMAIL PROTECTED] Technical Director, CertificationZone.com Senior Product Manager, Carrier Packet Solutions, NortelNetworks (for ID only) but Cisco stockholder! "retired" Certified Cisco Systems Instructor (CID) #93005 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN and NAT
I have a requirement to run a VPN for remote access and NAT for the entire LAN. I would prefer to run the one or the other on the router. Does anyone have any suggestions as to which? I am also currently running BGP. My opinion is to run the VPN on the router and NAT on another box therby creating a DMZ. However the file servers will be behind the NAT. How do I get from the VPN routers - thru the firewall - to the internal file servers? What problem are you trying to solve with these technologies? What does the BGP do? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN and NAT
create subinterfaces and place nat only on the internet link. This works fine -Original Message- From: Robert Yee [mailto:[EMAIL PROTECTED]] Sent: 18 July 2000 06:47 To: [EMAIL PROTECTED] Subject: Re: VPN and NAT Denao, Have yo tried the NONAT statement in your access lists? I am by no means an expert, but here's a link to a cisco sample configs. There are a bunch nearthe bottom about IPsec, NAT and NONAT. Denao Ruttino wrote: I have set up a router that is doing a router-router VPN as well as VPN clients coming in. The problem that I am having is with NAT. I need to set up 3 or 4 machines on the inside with static NAT translations and when I do, it translates all traffic. Is there a way to set this up where the VPN traffic does not get translated for these address'? I have used the following: ip nat inside source static 192.8.8.150 192.8.8.150 extendable ip nat inside source static 192.8.8.100 200.150.15.22 extendable (not real address') This seems to work except for when I initiate connections from the 192.6.6.100 box. That only works 50% of the time. I do not have this problem on NAT pools as route map statements allow me to deny translations by address. I only have this problem on the ones I want to assign a specific address to. Any suggestions would be appreciated. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN and NAT
There is a presentation from Networkers that covers this (as well as the problems with IPSec and HSRP), complete with sample configs. http://www.cisco.com/networkers/nw00/pres/2402.pdf (Advanced IPSec Deployment Scenarios) HTH Karen E Young ELF Technologies, Inc [EMAIL PROTECTED] Desk: 206-770-4035 Pager: 206-994-4514 Robert Yee rmyee@earthlTo: [EMAIL PROTECTED] ink.net cc: Sent by: Subject: Re: VPN and NAT nobody@groups tudy.com 07/17/00 09:46 PM Please respond to Robert Yee Denao, Have yo tried the NONAT statement in your access lists? I am by no means an expert, but here's a link to a cisco sample configs. There are a bunch nearthe bottom about IPsec, NAT and NONAT. Denao Ruttino wrote: I have set up a router that is doing a router-router VPN as well as VPN clients coming in. The problem that I am having is with NAT. I need to set up 3 or 4 machines on the inside with static NAT translations and when I do, it translates all traffic. Is there a way to set this up where the VPN traffic does not get translated for these address'? I have used the following: ip nat inside source static 192.8.8.150 192.8.8.150 extendable ip nat inside source static 192.8.8.100 200.150.15.22 extendable (not real address') This seems to work except for when I initiate connections from the 192.6.6.100 box. That only works 50% of the time. I do not have this problem on NAT pools as route map statements allow me to deny translations by address. I only have this problem on the ones I want to assign a specific address to. Any suggestions would be appreciated. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN and NAT
Denao, Have yo tried the NONAT statement in your access lists? I am by no means an expert, but here's a link to a cisco sample configs. There are a bunch nearthe bottom about IPsec, NAT and NONAT. Denao Ruttino wrote: I have set up a router that is doing a router-router VPN as well as VPN clients coming in. The problem that I am having is with NAT. I need to set up 3 or 4 machines on the inside with static NAT translations and when I do, it translates all traffic. Is there a way to set this up where the VPN traffic does not get translated for these address'? I have used the following: ip nat inside source static 192.8.8.150 192.8.8.150 extendable ip nat inside source static 192.8.8.100 200.150.15.22 extendable (not real address') This seems to work except for when I initiate connections from the 192.6.6.100 box. That only works 50% of the time. I do not have this problem on NAT pools as route map statements allow me to deny translations by address. I only have this problem on the ones I want to assign a specific address to. Any suggestions would be appreciated. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN through NAT
Tried that already. Only info I found on there is configuring a PIX firewall VPN tunnel. Searching the CCO is a major pain; you get soo many unrelated hits.. Greg - Original Message - From: "Balharek, Peter" [EMAIL PROTECTED] To: "Greg Smythe" [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, May 30, 2000 1:31 PM Subject: RE: VPN through NAT Try a crazy search on CCO. Type in "nat vpn". Select to search in support. Ohhh. Rtfm -Original Message- From: Greg Smythe [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 30, 2000 12:55 PM To: [EMAIL PROTECTED] Subject: VPN through NAT Hello -- Has anyone done this before? I'm trying to get a VPN connection to work over NAT. I see the translation happening, but my PC gets as far as "verifying username/pass" and then it errors out saying the server didn't respond (timeout). show ip nat tra: tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 1.1.1.1:1723 3.3.3.3 is the IP of my router's internet interface. 102.153.102.251 is my inside IP of my pc. 1.1.1.1 is my VPN server on the internet. If I give my PC an internet IP then it works, so it has something to do with the NAT. No filters are in effect on the interfaces on my router. Thanks! Greg ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN through NAT
So I can't make a VPN connection to my NT box over NAT.. Well that sucks. Thanks for the info! Greg - Original Message - From: "Ric Messier" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 30, 2000 2:01 PM Subject: Re: VPN through NAT VPNs don't typically work through NAT. The reason is that the packet is altered by the router on the way through the network. As a result, the signature is altered and the packet is discarded as being corrupt. The originating IP is used as part of the authentication mechanism for the packets coming through. It's a security feature. Ric - Original Message - From: "Balharek, Peter" [EMAIL PROTECTED] To: "Greg Smythe" [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, May 30, 2000 4:31 PM Subject: RE: VPN through NAT Try a crazy search on CCO. Type in "nat vpn". Select to search in support. Ohhh. Rtfm -Original Message- From: Greg Smythe [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 30, 2000 12:55 PM To: [EMAIL PROTECTED] Subject: VPN through NAT Hello -- Has anyone done this before? I'm trying to get a VPN connection to work over NAT. I see the translation happening, but my PC gets as far as "verifying username/pass" and then it errors out saying the server didn't respond (timeout). show ip nat tra: tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 1.1.1.1:1723 3.3.3.3 is the IP of my router's internet interface. 102.153.102.251 is my inside IP of my pc. 1.1.1.1 is my VPN server on the internet. If I give my PC an internet IP then it works, so it has something to do with the NAT. No filters are in effect on the interfaces on my router. Thanks! Greg ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN through NAT
To bring this back into the realm of education and enlightenment, let's look at the design issue. You are going VPN, ie secure tunnel from where to where? Homeinternet-firewall-inside_network is the "standard" configuration, with you the user wanting to work from home for some perverse reason. ;- But in the case you state, it would appear that you the user are in the office, and want to VPN to some other place? Corp_net-internet-some_other_place Now as a matter of security policy, does corp_net want to allow people on the inside to connect snug and secure and private to some unknown place on the outside... say a competitor's network, where you will then transfer company secrets? As a matter of policy, companies might not want traffic whose contents cannot be inspected to be passing through their firewalls. Yes there are all in one products, such as the Checkpoint VPN firewall, which operate in such a manner. Insidecheckpoint-(VPN/NATtunnel/non-tunnel)-internet-someplace_e lse But as a matter of design, NAT not withstanding, it is in my opinion at least, not a good idea to permit unrestricted VPNs from inside to outside. If there are extranets to be considered, then one should design a routing situation in which those who need to connect to particular VPN devices would be routed to particular pieces of equipment, from which the extranet VPN would be established. Inside-firewall---internet |-VPN/extranetbusiness_partner Hey, guys, have I muddied this up enough? :- Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg Smythe Sent: Tuesday, May 30, 2000 2:13 PM To: Ric Messier; [EMAIL PROTECTED] Subject: Re: VPN through NAT So I can't make a VPN connection to my NT box over NAT.. Well that sucks. Thanks for the info! Greg - Original Message - From: "Ric Messier" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 30, 2000 2:01 PM Subject: Re: VPN through NAT VPNs don't typically work through NAT. The reason is that the packet is altered by the router on the way through the network. As a result, the signature is altered and the packet is discarded as being corrupt. The originating IP is used as part of the authentication mechanism for the packets coming through. It's a security feature. Ric - Original Message - From: "Balharek, Peter" [EMAIL PROTECTED] To: "Greg Smythe" [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, May 30, 2000 4:31 PM Subject: RE: VPN through NAT Try a crazy search on CCO. Type in "nat vpn". Select to search in support. Ohhh. Rtfm -Original Message- From: Greg Smythe [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 30, 2000 12:55 PM To: [EMAIL PROTECTED] Subject: VPN through NAT Hello -- Has anyone done this before? I'm trying to get a VPN connection to work over NAT. I see the translation happening, but my PC gets as far as "verifying username/pass" and then it errors out saying the server didn't respond (timeout). show ip nat tra: tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 1.1.1.1:1723 3.3.3.3 is the IP of my router's internet interface. 102.153.102.251 is my inside IP of my pc. 1.1.1.1 is my VPN server on the internet. If I give my PC an internet IP then it works, so it has something to do with the NAT. No filters are in effect on the interfaces on my router. Thanks! Greg ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN through NAT
This is not always the case. Many Cable Modem providers are running NAT for some reason. This can cause grief when trying to work from home with the office. I posted a response earlier but don't see it. I must have used the wrong email address. The only VPN client I know of that will work through NAT is the Altiga (Cisco) VPN Client. It does a raindance around NAT using UDP packets. Kevin At 02:56 PM 5/30/00 -0700, Chuck Larrieu wrote: To bring this back into the realm of education and enlightenment, let's look at the design issue. You are going VPN, ie secure tunnel from where to where? Homeinternet-firewall-inside_network is the "standard" configuration, with you the user wanting to work from home for some perverse reason. ;- But in the case you state, it would appear that you the user are in the office, and want to VPN to some other place? Corp_net-internet-some_other_place Now as a matter of security policy, does corp_net want to allow people on the inside to connect snug and secure and private to some unknown place on the outside... say a competitor's network, where you will then transfer company secrets? As a matter of policy, companies might not want traffic whose contents cannot be inspected to be passing through their firewalls. Yes there are all in one products, such as the Checkpoint VPN firewall, which operate in such a manner. Insidecheckpoint-(VPN/NATtunnel/non-tunnel)-internet-someplace_e lse But as a matter of design, NAT not withstanding, it is in my opinion at least, not a good idea to permit unrestricted VPNs from inside to outside. If there are extranets to be considered, then one should design a routing situation in which those who need to connect to particular VPN devices would be routed to particular pieces of equipment, from which the extranet VPN would be established. Inside-firewall---internet |-VPN/extranetbusiness_partner Hey, guys, have I muddied this up enough? :- Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg Smythe Sent: Tuesday, May 30, 2000 2:13 PM To: Ric Messier; [EMAIL PROTECTED] Subject: Re: VPN through NAT So I can't make a VPN connection to my NT box over NAT.. Well that sucks. Thanks for the info! Greg - Original Message - From: "Ric Messier" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 30, 2000 2:01 PM Subject: Re: VPN through NAT VPNs don't typically work through NAT. The reason is that the packet is altered by the router on the way through the network. As a result, the signature is altered and the packet is discarded as being corrupt. The originating IP is used as part of the authentication mechanism for the packets coming through. It's a security feature. Ric - Original Message - From: "Balharek, Peter" [EMAIL PROTECTED] To: "Greg Smythe" [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, May 30, 2000 4:31 PM Subject: RE: VPN through NAT Try a crazy search on CCO. Type in "nat vpn". Select to search in support. Ohhh. Rtfm -Original Message- From: Greg Smythe [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 30, 2000 12:55 PM To: [EMAIL PROTECTED] Subject: VPN through NAT Hello -- Has anyone done this before? I'm trying to get a VPN connection to work over NAT. I see the translation happening, but my PC gets as far as "verifying username/pass" and then it errors out saying the server didn't respond (timeout). show ip nat tra: tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 1.1.1.1:1723 3.3.3.3 is the IP of my router's internet interface. 102.153.102.251 is my inside IP of my pc. 1.1.1.1 is my VPN server on the internet. If I give my PC an internet IP then it works, so it has something to do with the NAT. No filters are in effect on the interfaces on my router. Thanks! Greg ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report