Re: VPN through NAT
First of all, are you trying to use an IPSEC or a PPTP tunnel? Are you terminating the tunnel on the PC or on the router that is doing translation? Scott --- Greg Smythe <[EMAIL PROTECTED]> wrote: > Hello -- > > Has anyone done this before? I'm trying to get a VPN > connection to work over > NAT. I see the translation happening, but my PC gets > as far as "verifying > username/pass" and then it errors out saying the > server didn't respond > (timeout). > show ip nat tra: > > tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 > 1.1.1.1:1723 > > 3.3.3.3 is the IP of my router's internet interface. > 102.153.102.251 is my > inside IP of my pc. 1.1.1.1 is my VPN server on the > internet. > > If I give my PC an internet IP then it works, so it > has something to do with > the NAT. No filters are in effect on the interfaces > on my router. > > Thanks! > > > Greg > > ___ > UPDATED Posting Guidelines: > http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: > http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN through NAT
Greg, Sure you can get an IPSEC tunnel to work through a router doing NAT. The problem that normally arises is with PAT. ISAKMP uses UDP port 500 for the source and destination. PAT screws this up, by translating the source port from 500 to something else and this is invalid. You also have to configure passing IPSEC, IP protocols 50 and 51, if you are using any access-lists to restrict traffic or to define the interesting traffic to the NAT process. I've done this many times in the past. Through routers, PIX, Raptor Firewalls, and Check Point Firewalls. It's becoming more common that more organizations are implementing firewalls and require a particular client and do not allow server to server tunnels for security reasons. Rodgers Moore ""Greg Smythe"" <[EMAIL PROTECTED]> wrote in message 001701bfca7b$d76398c0$020b010a@ei">news:001701bfca7b$d76398c0$020b010a@ei... > So I can't make a VPN connection to my NT box over NAT.. Well that sucks. > Thanks for the info! > > Greg > - Original Message - > From: "Ric Messier" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, May 30, 2000 2:01 PM > Subject: Re: VPN through NAT > > > VPNs don't typically work through NAT. The reason is that the packet is > altered by the router on the way through the network. As a result, the > signature is altered and the packet is discarded as being corrupt. The > originating IP is used as part of the authentication mechanism for the > packets coming through. It's a security feature. > > Ric > > - Original Message - > From: "Balharek, Peter" <[EMAIL PROTECTED]> > To: "Greg Smythe" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Tuesday, May 30, 2000 4:31 PM > Subject: RE: VPN through NAT > > > > Try a crazy search on CCO. > > > > Type in "nat vpn". > > Select to search in support. > > > > Ohhh. > > > > Rtfm > > > > > > > > -Original Message- > > From: Greg Smythe [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, May 30, 2000 12:55 PM > > To: [EMAIL PROTECTED] > > Subject: VPN through NAT > > > > Hello -- > > > > Has anyone done this before? I'm trying to get a VPN > > connection to work over > > NAT. I see the translation happening, but my PC gets as far > > as "verifying > > username/pass" and then it errors out saying the server > > didn't respond > > (timeout). > > show ip nat tra: > > > > tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 > > 1.1.1.1:1723 > > > > 3.3.3.3 is the IP of my router's internet interface. > > 102.153.102.251 is my > > inside IP of my pc. 1.1.1.1 is my VPN server on the > > internet. > > > > If I give my PC an internet IP then it works, so it has > > something to do with > > the NAT. No filters are in effect on the interfaces on my > > router. > > > > Thanks! > > > > > > Greg > > > > ___ > > UPDATED Posting Guidelines: > > http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to > > [EMAIL PROTECTED] > > > > ___ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN through NAT
I believe Cisco's preferred method for this is through specific products designed for VPN router to router communication 700, 800, 1600 and 1700 series. In theory, an IPSec compliant box on your side should be able to talk to an IPSec compliant box on the Corporate side. These things are not necessarily so at this time. The idea being that if you had a Cisco router with the firewall and IPSec feature set, you could configure the router such that your VPN traffic would go to the designated tunnel device at corporate, and the rest of your internet traffic would go as it pleased. I did a lab on this a ways back and published the generic configs to show how the principal works. Otherwise, the way I have seen most designs, someone with a DSL connection installs client VPN software on their machine, using that means to create the secure tunnels. This is actually one of the security concerns, in that the presence of this shim software does nothing to ensure that the machine itself is secure. In your configuration, the preferred manner would be to run the VPN tunnel from edge to edge, and leave the PC client untouched. There are any number of known issues with PC shims anyway. I look forward to hearing what TAC says. Secure VPN client to a Pix? Chuck -Original Message- From: Greg Smythe [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 30, 2000 3:12 PM To: Chuck Larrieu; [EMAIL PROTECTED] Subject: Re: VPN through NAT I'm trying to VPN from my Home, through a NAT router, over the internet, and into a VPN server on the corporate network: This is what I have: PC ---| | nat rtr | internet | VPN server | | If that's not readable: PC --NAT Router--Internet--VPN Server (NT)--Corp LAN On my NAT router I see it trying to connect but something not passing over the router correctly. As a last resort I have just opened a case with the TAC (I decided to try on here first to see if I could get a fast response ). I'll let the list know what they say. My case was just dispatched to a tech. Greg - Original Message - From: "Chuck Larrieu" <[EMAIL PROTECTED]> To: "Greg Smythe" <[EMAIL PROTECTED]>; "Ric Messier" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, May 30, 2000 2:56 PM Subject: RE: VPN through NAT To bring this back into the realm of education and enlightenment, let's look at the design issue. You are going VPN, ie secure tunnel from where to where? Homeinternet-firewall-inside_network is the "standard" configuration, with you the user wanting to work from home for some perverse reason. ;-> But in the case you state, it would appear that you the user are in the office, and want to VPN to some other place? Corp_net-internet-some_other_place Now as a matter of security policy, does corp_net want to allow people on the inside to connect snug and secure and private to some unknown place on the outside... say a competitor's network, where you will then transfer company secrets? As a matter of policy, companies might not want traffic whose contents cannot be inspected to be passing through their firewalls. Yes there are all in one products, such as the Checkpoint VPN firewall, which operate in such a manner. Insidecheckpoint-(VPN/NATtunnel/non-tunnel)-internet-someplace_e lse But as a matter of design, NAT not withstanding, it is in my opinion at least, not a good idea to permit unrestricted VPNs from inside to outside. If there are extranets to be considered, then one should design a routing situation in which those who need to connect to particular VPN devices would be routed to particular pieces of equipment, from which the extranet VPN would be established. Inside-firewall---internet |-VPN/extranetbusiness_partner Hey, guys, have I muddied this up enough? :-> Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg Smythe Sent: Tuesday, May 30, 2000 2:13 PM To: Ric Messier; [EMAIL PROTECTED] Subject: Re: VPN through NAT So I can't make a VPN connection to my NT box over NAT.. Well that sucks. Thanks for the info! Greg - Original Message - From: "Ric Messier" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 30, 2000 2:01 PM Subject: Re: VPN through NAT VPNs don't typically work through NAT. The reason is that the packet is altered by the router on the way through the network. As a result, the signature is altered and the packet is discarded as being corrupt. The originating IP is used as part of the authentication mechanism for the packets coming through. It's a security feature. Ric - Original Message - From: "Balharek, Peter" <[EMAIL PROTECTED]> To: "Greg Smythe" <[
RE: VPN through NAT
This is not always the case. Many Cable Modem providers are running NAT for some reason. This can cause grief when trying to work from home with the office. I posted a response earlier but don't see it. I must have used the wrong email address. The only VPN client I know of that will work through NAT is the Altiga (Cisco) VPN Client. It does a raindance around NAT using UDP packets. Kevin At 02:56 PM 5/30/00 -0700, Chuck Larrieu wrote: >To bring this back into the realm of education and enlightenment, let's look >at the design issue. > >You are going VPN, ie secure tunnel from where to where? > >Homeinternet-firewall-inside_network is the "standard" >configuration, with you the user wanting to work from home for some perverse >reason. ;-> > >But in the case you state, it would appear that you the user are in the >office, and want to VPN to some other place? > >Corp_net-internet-some_other_place > >Now as a matter of security policy, does corp_net want to allow people on >the inside to connect snug and secure and private to some unknown place on >the outside... say a competitor's network, where you will then transfer >company secrets? > >As a matter of policy, companies might not want traffic whose contents >cannot be inspected to be passing through their firewalls. > >Yes there are all in one products, such as the Checkpoint VPN firewall, >which operate in such a manner. > >Insidecheckpoint-(VPN/NATtunnel/non-tunnel)-internet-someplace_e >lse > >But as a matter of design, NAT not withstanding, it is in my opinion at >least, not a good idea to permit unrestricted VPNs from inside to outside. >If there are extranets to be considered, then one should design a routing >situation in which those who need to connect to particular VPN devices would >be routed to particular pieces of equipment, from which the extranet VPN >would be established. > >Inside-firewall---internet > |-VPN/extranetbusiness_partner > >Hey, guys, have I muddied this up enough? :-> > >Chuck > > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg >Smythe >Sent: Tuesday, May 30, 2000 2:13 PM >To: Ric Messier; [EMAIL PROTECTED] >Subject:Re: VPN through NAT > >So I can't make a VPN connection to my NT box over NAT.. Well that sucks. >Thanks for the info! > >Greg >- Original Message - >From: "Ric Messier" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, May 30, 2000 2:01 PM >Subject: Re: VPN through NAT > > >VPNs don't typically work through NAT. The reason is that the packet is >altered by the router on the way through the network. As a result, the >signature is altered and the packet is discarded as being corrupt. The >originating IP is used as part of the authentication mechanism for the >packets coming through. It's a security feature. > >Ric > >- Original Message - >From: "Balharek, Peter" <[EMAIL PROTECTED]> >To: "Greg Smythe" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> >Sent: Tuesday, May 30, 2000 4:31 PM >Subject: RE: VPN through NAT > > > > Try a crazy search on CCO. > > > > Type in "nat vpn". > > Select to search in support. > > > > Ohhh. > > > > Rtfm > > > > > > > > -Original Message- > > From: Greg Smythe [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, May 30, 2000 12:55 PM > > To: [EMAIL PROTECTED] > > Subject: VPN through NAT > > > > Hello -- > > > > Has anyone done this before? I'm trying to get a VPN > > connection to work over > > NAT. I see the translation happening, but my PC gets as far > > as "verifying > > username/pass" and then it errors out saying the server > > didn't respond > > (timeout). > > show ip nat tra: > > > > tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 > > 1.1.1.1:1723 > > > > 3.3.3.3 is the IP of my router's internet interface. > > 102.153.102.251 is my > > inside IP of my pc. 1.1.1.1 is my VPN server on the > > internet. > > > > If I give my PC an internet IP then it works, so it has > > something to do with > > the NAT. No filters are in effect on the interfaces on my > > router. > > > > Thanks! > > > > > > Greg > > > > ___ > > UPDATED Posting Guidelines: > > http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: > >
Re: VPN through NAT
I'm trying to VPN from my Home, through a NAT router, over the internet, and into a VPN server on the corporate network: This is what I have: PC ---| | nat rtr | internet | VPN server | | If that's not readable: PC --NAT Router--Internet--VPN Server (NT)--Corp LAN On my NAT router I see it trying to connect but something not passing over the router correctly. As a last resort I have just opened a case with the TAC (I decided to try on here first to see if I could get a fast response ). I'll let the list know what they say. My case was just dispatched to a tech. Greg - Original Message - From: "Chuck Larrieu" <[EMAIL PROTECTED]> To: "Greg Smythe" <[EMAIL PROTECTED]>; "Ric Messier" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, May 30, 2000 2:56 PM Subject: RE: VPN through NAT To bring this back into the realm of education and enlightenment, let's look at the design issue. You are going VPN, ie secure tunnel from where to where? Homeinternet-firewall-inside_network is the "standard" configuration, with you the user wanting to work from home for some perverse reason. ;-> But in the case you state, it would appear that you the user are in the office, and want to VPN to some other place? Corp_net-internet-some_other_place Now as a matter of security policy, does corp_net want to allow people on the inside to connect snug and secure and private to some unknown place on the outside... say a competitor's network, where you will then transfer company secrets? As a matter of policy, companies might not want traffic whose contents cannot be inspected to be passing through their firewalls. Yes there are all in one products, such as the Checkpoint VPN firewall, which operate in such a manner. Insidecheckpoint-(VPN/NATtunnel/non-tunnel)-internet-someplace_e lse But as a matter of design, NAT not withstanding, it is in my opinion at least, not a good idea to permit unrestricted VPNs from inside to outside. If there are extranets to be considered, then one should design a routing situation in which those who need to connect to particular VPN devices would be routed to particular pieces of equipment, from which the extranet VPN would be established. Inside-firewall---internet |-VPN/extranetbusiness_partner Hey, guys, have I muddied this up enough? :-> Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg Smythe Sent: Tuesday, May 30, 2000 2:13 PM To: Ric Messier; [EMAIL PROTECTED] Subject: Re: VPN through NAT So I can't make a VPN connection to my NT box over NAT.. Well that sucks. Thanks for the info! Greg - Original Message - From: "Ric Messier" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 30, 2000 2:01 PM Subject: Re: VPN through NAT VPNs don't typically work through NAT. The reason is that the packet is altered by the router on the way through the network. As a result, the signature is altered and the packet is discarded as being corrupt. The originating IP is used as part of the authentication mechanism for the packets coming through. It's a security feature. Ric - Original Message - From: "Balharek, Peter" <[EMAIL PROTECTED]> To: "Greg Smythe" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, May 30, 2000 4:31 PM Subject: RE: VPN through NAT > Try a crazy search on CCO. > > Type in "nat vpn". > Select to search in support. > > Ohhh. > > Rtfm > > > > -Original Message- > From: Greg Smythe [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 30, 2000 12:55 PM > To: [EMAIL PROTECTED] > Subject: VPN through NAT > > Hello -- > > Has anyone done this before? I'm trying to get a VPN > connection to work over > NAT. I see the translation happening, but my PC gets as far > as "verifying > username/pass" and then it errors out saying the server > didn't respond > (timeout). > show ip nat tra: > > tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 > 1.1.1.1:1723 > > 3.3.3.3 is the IP of my router's internet interface. > 102.153.102.251 is my > inside IP of my pc. 1.1.1.1 is my VPN server on the > internet. > > If I give my PC an internet IP then it works, so it has > something to do with > the NAT. No filters are in effect on the interfaces on my > router. > > Thanks! > > > Greg > > ___ > UPDATED Posting Guidelines: > http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: > http://www.groupstudy.com > Report misconduc
RE: VPN through NAT
To bring this back into the realm of education and enlightenment, let's look at the design issue. You are going VPN, ie secure tunnel from where to where? Homeinternet-firewall-inside_network is the "standard" configuration, with you the user wanting to work from home for some perverse reason. ;-> But in the case you state, it would appear that you the user are in the office, and want to VPN to some other place? Corp_net-internet-some_other_place Now as a matter of security policy, does corp_net want to allow people on the inside to connect snug and secure and private to some unknown place on the outside... say a competitor's network, where you will then transfer company secrets? As a matter of policy, companies might not want traffic whose contents cannot be inspected to be passing through their firewalls. Yes there are all in one products, such as the Checkpoint VPN firewall, which operate in such a manner. Insidecheckpoint-(VPN/NATtunnel/non-tunnel)-internet-someplace_e lse But as a matter of design, NAT not withstanding, it is in my opinion at least, not a good idea to permit unrestricted VPNs from inside to outside. If there are extranets to be considered, then one should design a routing situation in which those who need to connect to particular VPN devices would be routed to particular pieces of equipment, from which the extranet VPN would be established. Inside-firewall---internet |-VPN/extranetbusiness_partner Hey, guys, have I muddied this up enough? :-> Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Greg Smythe Sent: Tuesday, May 30, 2000 2:13 PM To: Ric Messier; [EMAIL PROTECTED] Subject: Re: VPN through NAT So I can't make a VPN connection to my NT box over NAT.. Well that sucks. Thanks for the info! Greg - Original Message - From: "Ric Messier" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 30, 2000 2:01 PM Subject: Re: VPN through NAT VPNs don't typically work through NAT. The reason is that the packet is altered by the router on the way through the network. As a result, the signature is altered and the packet is discarded as being corrupt. The originating IP is used as part of the authentication mechanism for the packets coming through. It's a security feature. Ric - Original Message - From: "Balharek, Peter" <[EMAIL PROTECTED]> To: "Greg Smythe" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, May 30, 2000 4:31 PM Subject: RE: VPN through NAT > Try a crazy search on CCO. > > Type in "nat vpn". > Select to search in support. > > Ohhh. > > Rtfm > > > > -Original Message- > From: Greg Smythe [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 30, 2000 12:55 PM > To: [EMAIL PROTECTED] > Subject: VPN through NAT > > Hello -- > > Has anyone done this before? I'm trying to get a VPN > connection to work over > NAT. I see the translation happening, but my PC gets as far > as "verifying > username/pass" and then it errors out saying the server > didn't respond > (timeout). > show ip nat tra: > > tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 > 1.1.1.1:1723 > > 3.3.3.3 is the IP of my router's internet interface. > 102.153.102.251 is my > inside IP of my pc. 1.1.1.1 is my VPN server on the > internet. > > If I give my PC an internet IP then it works, so it has > something to do with > the NAT. No filters are in effect on the interfaces on my > router. > > Thanks! > > > Greg > > ___ > UPDATED Posting Guidelines: > http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: > http://www.groupstudy.com > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN through NAT
Try a crazy search on CCO. Type in "nat vpn". Select to search in support. Ohhh. Rtfm -Original Message- From: Greg Smythe [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 30, 2000 12:55 PM To: [EMAIL PROTECTED] Subject:VPN through NAT Hello -- Has anyone done this before? I'm trying to get a VPN connection to work over NAT. I see the translation happening, but my PC gets as far as "verifying username/pass" and then it errors out saying the server didn't respond (timeout). show ip nat tra: tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 1.1.1.1:1723 3.3.3.3 is the IP of my router's internet interface. 102.153.102.251 is my inside IP of my pc. 1.1.1.1 is my VPN server on the internet. If I give my PC an internet IP then it works, so it has something to do with the NAT. No filters are in effect on the interfaces on my router. Thanks! Greg ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN through NAT
So I can't make a VPN connection to my NT box over NAT.. Well that sucks. Thanks for the info! Greg - Original Message - From: "Ric Messier" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 30, 2000 2:01 PM Subject: Re: VPN through NAT VPNs don't typically work through NAT. The reason is that the packet is altered by the router on the way through the network. As a result, the signature is altered and the packet is discarded as being corrupt. The originating IP is used as part of the authentication mechanism for the packets coming through. It's a security feature. Ric - Original Message - From: "Balharek, Peter" <[EMAIL PROTECTED]> To: "Greg Smythe" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, May 30, 2000 4:31 PM Subject: RE: VPN through NAT > Try a crazy search on CCO. > > Type in "nat vpn". > Select to search in support. > > Ohhh. > > Rtfm > > > > -Original Message- > From: Greg Smythe [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 30, 2000 12:55 PM > To: [EMAIL PROTECTED] > Subject: VPN through NAT > > Hello -- > > Has anyone done this before? I'm trying to get a VPN > connection to work over > NAT. I see the translation happening, but my PC gets as far > as "verifying > username/pass" and then it errors out saying the server > didn't respond > (timeout). > show ip nat tra: > > tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 > 1.1.1.1:1723 > > 3.3.3.3 is the IP of my router's internet interface. > 102.153.102.251 is my > inside IP of my pc. 1.1.1.1 is my VPN server on the > internet. > > If I give my PC an internet IP then it works, so it has > something to do with > the NAT. No filters are in effect on the interfaces on my > router. > > Thanks! > > > Greg > > ___ > UPDATED Posting Guidelines: > http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: > http://www.groupstudy.com > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN through NAT
Tried that already. Only info I found on there is configuring a PIX firewall VPN tunnel. Searching the CCO is a major pain; you get soo many unrelated hits.. Greg - Original Message - From: "Balharek, Peter" <[EMAIL PROTECTED]> To: "Greg Smythe" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, May 30, 2000 1:31 PM Subject: RE: VPN through NAT Try a crazy search on CCO. Type in "nat vpn". Select to search in support. Ohhh. Rtfm -Original Message- From: Greg Smythe [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 30, 2000 12:55 PM To: [EMAIL PROTECTED] Subject: VPN through NAT Hello -- Has anyone done this before? I'm trying to get a VPN connection to work over NAT. I see the translation happening, but my PC gets as far as "verifying username/pass" and then it errors out saying the server didn't respond (timeout). show ip nat tra: tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 1.1.1.1:1723 3.3.3.3 is the IP of my router's internet interface. 102.153.102.251 is my inside IP of my pc. 1.1.1.1 is my VPN server on the internet. If I give my PC an internet IP then it works, so it has something to do with the NAT. No filters are in effect on the interfaces on my router. Thanks! Greg ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN through NAT
NAT or PAT. You can't do a VPN tunnel with PAT. Rodgers Moore, CCDP, CCNP-Security ""Greg Smythe"" <[EMAIL PROTECTED]> wrote in message 000501bfca70$edb82740$020b010a@ei">news:000501bfca70$edb82740$020b010a@ei... > Hello -- > > Has anyone done this before? I'm trying to get a VPN connection to work over > NAT. I see the translation happening, but my PC gets as far as "verifying > username/pass" and then it errors out saying the server didn't respond > (timeout). > show ip nat tra: > > tcp 3.3.3.3:1056 102.153.102.251:1056 1.1.1.1:1723 1.1.1.1:1723 > > 3.3.3.3 is the IP of my router's internet interface. 102.153.102.251 is my > inside IP of my pc. 1.1.1.1 is my VPN server on the internet. > > If I give my PC an internet IP then it works, so it has something to do with > the NAT. No filters are in effect on the interfaces on my router. > > Thanks! > > > Greg > > ___ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
