Re: FreeBSD to Cisco ASA 5505 VPN Connection
--- On Wed, 2/17/10, Chuck Swiger wrote: From: Chuck Swiger Subject: Re: FreeBSD to Cisco ASA 5505 VPN Connection To: "Bill Tillman" Cc: freebsd-questions@freebsd.org Date: Wednesday, February 17, 2010, 5:17 PM Hi-- On Feb 17, 2010, at 3:06 PM, Bill Tillman wrote: > The tech told me that I need to forward ports 500 and 4500 with my FreeBSD > router to the small VPN router inside my LAN. That's simple enought but then > he tells me I need to redirect all EPS and all AH traffic as well. I guess > this is where FreeBSD+NATD+IPFW hits the wall when working with Cisco or is > it? I gotta believe this can work but I don't know how the heck to do it and > the tech at our IT consultant is totally lost when it comes to anything > besides Cisco equipment. > Has anyone got a suggestion on how to do a port redirect with natd to pickup > these EPS and AH packets. I added some new lines to my /etc/natd.conf file > and the AH part seemed ok but the console screen immediately said what the > heck is EPS. And worse it did not work. Only when I put the VPN router > outside of my existing router does this setup work. I really want to keep > this thing inside my LAN or even better would be how do I get my existing > router to work as a VPN on it's own? When I was dealing with the Cisco VPN client, I was doing so with IPFW+natd and you need 500/udp, 4500/udp, 62515/udp, 1723/tcp, 1/tcp, and the GRE protocol. In my case, /etc/natd.conf contained: punch_fw 1:100 redirect_proto gre 10.1.1.247 redirect_port udp 10.1.1.247:500 500 redirect_port udp 10.1.1.247:4500 4500 redirect_port udp 10.1.1.247:62515 62515 redirect_port tcp 10.1.1.247:1 1 redirect_port tcp 10.1.1.247:pptp pptp ...to send the traffic to a VPN endpoint located at IP 10.1.1.247. Regards, -- -Chuck Thanks for everyone's valuable input on this. I'm still new to all this protocol and port forwarding topics. As I see it, in the /etc/protocols file they list esp, ah and gre so I would need all of this in my /etc/natd.conf like this: punch_fw 1:100 redirect_proto gre 10.0.0.252 redirect_proto esp 10.0.0.252 redirect_proto ah 10.0.0.252 redirect_port udp 10.0.0.252:500 500 redirect_port udp 10.0.0.252:4500 4500 redirect_port udp 10.0.0.252:62515 62515 redirect_port tcp 10.0.0.252:1 1 redirect_port tcp 10.0.0.252:pptp pptp The VPN router inside my LAN is 10.0.0.252. Then I added these rules to my ipfw rule set: ipfw add allow udp from any to any 500 ipfw add allow udp from any to any 4500 ipfw add allow udp from any to any 62515 ipfw add allow tcp from any to any 1 ipfw add allow tcp from any to any 1723 The VPN router makes the connection to the other Cisco router but the phone still does not work. I turned the firewall in my VPN router off but still no go. This only works when I place the VPN router upstream of my router so it's got to be something in my FreeBSD router which is not letting the traffic through. I've been checking my /var/log/security file but don't see anything being blocked that's related to this. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FreeBSD to Cisco ASA 5505 VPN Connection
Its ESP, not EPS. And NAT traversal / UDP encapsulation is liklely needed, that's the 4500 and 1 ports. - Original Message - From: owner-freebsd-questi...@freebsd.org To: Bill Tillman Cc: freebsd-questions@freebsd.org Sent: Wed Feb 17 17:17:58 2010 Subject: Re: FreeBSD to Cisco ASA 5505 VPN Connection Hi-- On Feb 17, 2010, at 3:06 PM, Bill Tillman wrote: > The tech told me that I need to forward ports 500 and 4500 with my FreeBSD > router to the small VPN router inside my LAN. That's simple enought but then > he tells me I need to redirect all EPS and all AH traffic as well. I guess > this is where FreeBSD+NATD+IPFW hits the wall when working with Cisco or is > it? I gotta believe this can work but I don't know how the heck to do it and > the tech at our IT consultant is totally lost when it comes to anything > besides Cisco equipment. > Has anyone got a suggestion on how to do a port redirect with natd to pickup > these EPS and AH packets. I added some new lines to my /etc/natd.conf file > and the AH part seemed ok but the console screen immediately said what the > heck is EPS. And worse it did not work. Only when I put the VPN router > outside of my existing router does this setup work. I really want to keep > this thing inside my LAN or even better would be how do I get my existing > router to work as a VPN on it's own? When I was dealing with the Cisco VPN client, I was doing so with IPFW+natd and you need 500/udp, 4500/udp, 62515/udp, 1723/tcp, 1/tcp, and the GRE protocol. In my case, /etc/natd.conf contained: punch_fw 1:100 redirect_proto gre 10.1.1.247 redirect_port udp 10.1.1.247:500 500 redirect_port udp 10.1.1.247:4500 4500 redirect_port udp 10.1.1.247:62515 62515 redirect_port tcp 10.1.1.247:1 1 redirect_port tcp 10.1.1.247:pptp pptp ...to send the traffic to a VPN endpoint located at IP 10.1.1.247. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FreeBSD to Cisco ASA 5505 VPN Connection
Hi-- On Feb 17, 2010, at 3:06 PM, Bill Tillman wrote: > The tech told me that I need to forward ports 500 and 4500 with my FreeBSD > router to the small VPN router inside my LAN. That's simple enought but then > he tells me I need to redirect all EPS and all AH traffic as well. I guess > this is where FreeBSD+NATD+IPFW hits the wall when working with Cisco or is > it? I gotta believe this can work but I don't know how the heck to do it and > the tech at our IT consultant is totally lost when it comes to anything > besides Cisco equipment. > Has anyone got a suggestion on how to do a port redirect with natd to pickup > these EPS and AH packets. I added some new lines to my /etc/natd.conf file > and the AH part seemed ok but the console screen immediately said what the > heck is EPS. And worse it did not work. Only when I put the VPN router > outside of my existing router does this setup work. I really want to keep > this thing inside my LAN or even better would be how do I get my existing > router to work as a VPN on it's own? When I was dealing with the Cisco VPN client, I was doing so with IPFW+natd and you need 500/udp, 4500/udp, 62515/udp, 1723/tcp, 1/tcp, and the GRE protocol. In my case, /etc/natd.conf contained: punch_fw 1:100 redirect_proto gre 10.1.1.247 redirect_port udp 10.1.1.247:500 500 redirect_port udp 10.1.1.247:4500 4500 redirect_port udp 10.1.1.247:62515 62515 redirect_port tcp 10.1.1.247:1 1 redirect_port tcp 10.1.1.247:pptp pptp ...to send the traffic to a VPN endpoint located at IP 10.1.1.247. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
FreeBSD to Cisco ASA 5505 VPN Connection
I have a small dilemma. The boss finally relented and is allowing me to work from home. This is a good deal for him too I just have to convince him. They have a Cisco ASA 5505 VPN router at the office. I have a wonderfully working LAN that uses a FreeBSD-7.2-STABLE server running NATD+IPFW. This in turn connects to a cable modem to my ISP and I couldn't be happier with it. All is well. Now my employer wants me to use a VPN server on my end to connect to his VPN. Okay cool I think Open VPN would do the trick. WRONG...Open VPN does not work with Cisco ASA 5505 routers. In fact, Open VPN doesn't work with alot of Cisco equipment. So much for trying to connect my router directly to their router. But I do have a small Cisco/Linksys RV042 VPN router which does talk to their Cisco router. So we tried hooking this up. First behind my router because I felt it would be safer there and I only need it for a VOIP phone they gave me. That's all this exercise was about was to allow the phone to work securely for their Asterisk system. I know there are other ways to do this but the techs don't want to mess with the Asterisk server because it will void the support contract and warranty. Through trial and error I finally got this small router to work but I had to put in on the outside of my FreeBSD router. No big deal really, seems to be safe as it has a firewall and the only thing connected to it besides my other FreeBSD router which is tight as a drum, is the VOIP phone which works quite well. The tech told me that I need to forward ports 500 and 4500 with my FreeBSD router to the small VPN router inside my LAN. That's simple enought but then he tells me I need to redirect all EPS and all AH traffic as well. I guess this is where FreeBSD+NATD+IPFW hits the wall when working with Cisco or is it? I gotta believe this can work but I don't know how the heck to do it and the tech at our IT consultant is totally lost when it comes to anything besides Cisco equipment. Has anyone got a suggestion on how to do a port redirect with natd to pickup these EPS and AH packets. I added some new lines to my /etc/natd.conf file and the AH part seemed ok but the console screen immediately said what the heck is EPS. And worse it did not work. Only when I put the VPN router outside of my existing router does this setup work. I really want to keep this thing inside my LAN or even better would be how do I get my existing router to work as a VPN on it's own? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
