Re: Cisco VPN client and NAT [7:47430]
So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47476t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47482t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47490t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco VPN client and NAT [7:47430]
Cool, so the PIX will not support VPN's over PAT !!! So if I had my Main Office PIX, and a VPN Concentrator . could I succesfully connect from a remote office via a cable/adsl modem that does PAT using the Cisco VPN software client ??? If so ... and if I had say ... 30 - 40 remote offices, potentially connecting simultaneously would a VPN 3000 be overkill ??? or would I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's over PAT), or there other VPN concentrators that would do the job Regards ... Paul ... - Original Message - From: Robertson, Douglas To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47520t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
IP Security Through Network Address Translation Support http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/827/827rl nts/820feat.htm I think Linksys just has an option for a checkmark on IPSec through NAT. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex Lee Sent: Wednesday, June 26, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47529t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
VPN traffic can pass through the PAT, if the device that does PAT is IPSec aware. Remember, that device will only see the encrypted/encapsulated traffic, so the ip header will have ip src: your client's public ip; dst: PIX's outside interface. Doesn't matter what your pool is configured for... It's not just in the theory. From my own experience, I had 3 VPN clients that were behind Cisco 806, that was configured for PAT, simultaneously connecting to the same PIX via VPN and pass traffic. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 26, 2002 10:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47530t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
See inlines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sent: Wednesday, June 26, 2002 5:11 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] Cool, so the PIX will not support VPN's over PAT !!! If you are talking about passing IPSec through the PIX (not PIX terminating VPN tunnel) then you are correct. PIX has to have a pool of ip addresses for one-to-one NAT for your VPN clients. If you are talking about PIX terminating VPN, then PIX won't even know the difference if the packet went through the PAT/NAT device. So if I had my Main Office PIX, and a VPN Concentrator . could I succesfully connect from a remote office via a cable/adsl modem that does PAT using the Cisco VPN software client ??? Are your cable modem IPSec aware (supports IPSec through PAT)? If yes, then you can terminate VPN tunnels on the VPN Concentrator or the PIX. If not, then you can use VPN Concentrator with IPSec over TCP option. PIX doesn't support IPSec over TCP for now. PIX only listens on udp port 500. -- Lidiya White If so ... and if I had say ... 30 - 40 remote offices, potentially connecting simultaneously would a VPN 3000 be overkill ??? or would I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's over PAT), or there other VPN concentrators that would do the job Regards ... Paul ... - Original Message - From: Robertson, Douglas To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47531t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
Lidiya, I didn't try PIX, but I tried a 1605: Main office 3030---Internet---1605---VPN clients. It worked fine. 1605 was configured PAT inside. Does this mean 1650 is IPSec aware? If 1605 is IPSec aware, why PIX isn't? Thanks. Yoshi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lidiya White Sent: Wednesday, June 26, 2002 7:56 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] See inlines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sent: Wednesday, June 26, 2002 5:11 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] Cool, so the PIX will not support VPN's over PAT !!! If you are talking about passing IPSec through the PIX (not PIX terminating VPN tunnel) then you are correct. PIX has to have a pool of ip addresses for one-to-one NAT for your VPN clients. If you are talking about PIX terminating VPN, then PIX won't even know the difference if the packet went through the PAT/NAT device. So if I had my Main Office PIX, and a VPN Concentrator . could I succesfully connect from a remote office via a cable/adsl modem that does PAT using the Cisco VPN software client ??? Are your cable modem IPSec aware (supports IPSec through PAT)? If yes, then you can terminate VPN tunnels on the VPN Concentrator or the PIX. If not, then you can use VPN Concentrator with IPSec over TCP option. PIX doesn't support IPSec over TCP for now. PIX only listens on udp port 500. -- Lidiya White If so ... and if I had say ... 30 - 40 remote offices, potentially connecting simultaneously would a VPN 3000 be overkill ??? or would I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's over PAT), or there other VPN concentrators that would do the job Regards ... Paul ... - Original Message - From: Robertson, Douglas To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47540t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: Cisco VPN client and NAT [7:47430]
I bet you were using IPSec over TCP. Then it really doesn't matter what is in the 'middle'. Your Cisco 1605 will see only tcp traffic, not esp. Cisco 1600 is not IPSec aware (and don't have to be in your setup). -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of supernet Sent: Wednesday, June 26, 2002 11:31 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, I didn't try PIX, but I tried a 1605: Main office 3030---Internet---1605---VPN clients. It worked fine. 1605 was configured PAT inside. Does this mean 1650 is IPSec aware? If 1605 is IPSec aware, why PIX isn't? Thanks. Yoshi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lidiya White Sent: Wednesday, June 26, 2002 7:56 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] See inlines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sent: Wednesday, June 26, 2002 5:11 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] Cool, so the PIX will not support VPN's over PAT !!! If you are talking about passing IPSec through the PIX (not PIX terminating VPN tunnel) then you are correct. PIX has to have a pool of ip addresses for one-to-one NAT for your VPN clients. If you are talking about PIX terminating VPN, then PIX won't even know the difference if the packet went through the PAT/NAT device. So if I had my Main Office PIX, and a VPN Concentrator . could I succesfully connect from a remote office via a cable/adsl modem that does PAT using the Cisco VPN software client ??? Are your cable modem IPSec aware (supports IPSec through PAT)? If yes, then you can terminate VPN tunnels on the VPN Concentrator or the PIX. If not, then you can use VPN Concentrator with IPSec over TCP option. PIX doesn't support IPSec over TCP for now. PIX only listens on udp port 500. -- Lidiya White If so ... and if I had say ... 30 - 40 remote offices, potentially connecting simultaneously would a VPN 3000 be overkill ??? or would I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's over PAT), or there other VPN concentrators that would do the job Regards ... Paul ... - Original Message - From: Robertson, Douglas To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing
RE: Cisco VPN client and NAT [7:47430]
My clients uses IPSec over UDP, not TCP. We do have to enable Allow IPSec through NAT on clients. I guess it's the same thing you were talking about, right? Thanks. Yoshi -Original Message- From: Lidiya White [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 9:56 PM To: 'supernet'; [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] I bet you were using IPSec over TCP. Then it really doesn't matter what is in the 'middle'. Your Cisco 1605 will see only tcp traffic, not esp. Cisco 1600 is not IPSec aware (and don't have to be in your setup). -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of supernet Sent: Wednesday, June 26, 2002 11:31 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, I didn't try PIX, but I tried a 1605: Main office 3030---Internet---1605---VPN clients. It worked fine. 1605 was configured PAT inside. Does this mean 1650 is IPSec aware? If 1605 is IPSec aware, why PIX isn't? Thanks. Yoshi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lidiya White Sent: Wednesday, June 26, 2002 7:56 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] See inlines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sent: Wednesday, June 26, 2002 5:11 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] Cool, so the PIX will not support VPN's over PAT !!! If you are talking about passing IPSec through the PIX (not PIX terminating VPN tunnel) then you are correct. PIX has to have a pool of ip addresses for one-to-one NAT for your VPN clients. If you are talking about PIX terminating VPN, then PIX won't even know the difference if the packet went through the PAT/NAT device. So if I had my Main Office PIX, and a VPN Concentrator . could I succesfully connect from a remote office via a cable/adsl modem that does PAT using the Cisco VPN software client ??? Are your cable modem IPSec aware (supports IPSec through PAT)? If yes, then you can terminate VPN tunnels on the VPN Concentrator or the PIX. If not, then you can use VPN Concentrator with IPSec over TCP option. PIX doesn't support IPSec over TCP for now. PIX only listens on udp port 500. -- Lidiya White If so ... and if I had say ... 30 - 40 remote offices, potentially connecting simultaneously would a VPN 3000 be overkill ??? or would I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's over PAT), or there other VPN concentrators that would do the job Regards ... Paul ... - Original Message - From: Robertson, Douglas To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do
Re: Cisco VPN client and NAT [7:47430]
On the VPN concentrator, systemuser managementgroup IPsec tab you need to check IPSec through NAT Also you need to make sure your PIX is configured to pass IPsec(AH,ESP), ISAKMP, and UDP encapsulation traffic. Ruihai Paul wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi ... Im using the Cisco VPN clients 3.1 and 3.0.6. When dialing up everything works fine !!! However, when a user connects from a remote office, ie behind some NAT'ing device ... a connection is made .. but the remote office client cannot access/ping any devices on the private IP address side like the dialup client can All the clients are using Microsoft 2000 or XP ... I have tried enabling IPSec on the Win2K boxes without success ?? I am using Cisco Pix ver 6 at the main office. Do I need to configure the Pix to allow IPSec from Win2K ??? I have looked at the Cisco site heaps ... but cannot really find any solutions . Any advice would be greatly received ... Thanks Paul .. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47437t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
