NAT-T + VPN Tunnel
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||
|
Posted by Darren Green on November 6, 2005, 4:06 am
Please log in for more thread options -------------------Router--------------PIX--------------LAN (Public Outside) (Private Inside) And the router on the outside has a static translation for the PIX outside interface. Assuming I am building a VPN between the PIX outside interface and a destination network somewhere on the Internet, I assume I would need to account for NAT-T. A colleague of mine was tasked to get this working for a customer and his IKE phase 1 negotiation was unsuccessfull. We thought initially that the Phase 1 parameters were inconsistent, however, something tells me NAT-T may also be a possibility. Regards Darren | |||||||||||||||||||||||||
|
Posted by Walter Roberson on November 6, 2005, 10:23 am
Please log in for more thread options >Assuming that I have the following:
>-------------------Router--------------PIX--------------LAN
>(Public Outside) (Private Inside)
>And the router on the outside has a static translation for the PIX
>outside interface. Assuming I am building a VPN between the PIX outside >interface and a destination network somewhere on the Internet, I assume >I would need to account for NAT-T. It would help, yes. >A colleague of mine was tasked to get this working for a customer and
>his IKE phase 1 negotiation was unsuccessfull. We thought initially that >the Phase 1 parameters were inconsistent, however, something tells me >NAT-T may also be a possibility. You have not really given us enough information. When you debug crypto ipsec 2 debug crypto isakmp 2 on the PIX then do you see the conversation getting as far as sending NAT-T probes? -- Many food scientists have reported chocolate to be the single most craved food. -- Northwestern University, 2001 | |||||||||||||||||||||||||
|
Posted by Vincent C Jones on November 6, 2005, 11:03 am
Please log in for more thread options >Assuming that I have the following:
> >-------------------Router--------------PIX--------------LAN > >(Public Outside) (Private Inside) > >And the router on the outside has a static translation for the PIX >outside interface. Assuming I am building a VPN between the PIX outside >interface and a destination network somewhere on the Internet, I assume >I would need to account for NAT-T. > >A colleague of mine was tasked to get this working for a customer and >his IKE phase 1 negotiation was unsuccessfull. We thought initially that >the Phase 1 parameters were inconsistent, however, something tells me >NAT-T may also be a possibility. > >Regards > >Darren This topic has been around for years (see http://www.sans.org/rr/whitepapers/vpns/731.php) and discussed multiple times in this forum, you might try a search for "NAT traversal" and IPsec, the problems are not limited to Cisco and there are more than one. You seem to be getting hung up on the initial key exchange which uses port 500. Your NAT is probably assuming overloading and changing the port to one Cisco does not recognize. Once you get past the key exchange, you'll also be challenged by the NAT interfering with AH and ESP. Bottom Line: The NAT Traversal (NAT-T) feature, introduced in PIX Firewall version 6.3, is required to establish an IPsec tunnel through an external NAT. If you are not running at least PIX OS 6.3, you will need to upgrade. Similarly, your Cisco VPN client must be at version 3.6 or newer. A little searching on www.cisco.com should uncover some sample configurations appropriate for your client's needs. Good luck and have fun! -- Vincent C Jones, Consultant Expert advice and a helping hand Networking Unlimited, Inc. for those who want to manage and Tenafly, NJ Phone: 201 568-7810 control their networking destiny http://www.networkingunlimited.com | |||||||||||||||||||||||||
|
Posted by Darren Green on November 8, 2005, 2:42 am
Please log in for more thread options Vincent C Jones wrote:
>
> This topic has been around for years (see > http://www.sans.org/rr/whitepapers/vpns/731.php) and discussed > multiple times in this forum, you might try a search for "NAT > traversal" and IPsec, the problems are not limited to Cisco and > there are more than one. You seem to be getting hung up on the > initial key exchange which uses port 500. Your NAT is probably > assuming overloading and changing the port to one Cisco does not > recognize. Once you get past the key exchange, you'll also be > challenged by the NAT interfering with AH and ESP. > > Bottom Line: The NAT Traversal (NAT-T) feature, introduced in > PIX Firewall version 6.3, is required to establish an IPsec tunnel > through an external NAT. If you are not running at least PIX OS 6.3, > you will need to upgrade. Similarly, your Cisco VPN client must > be at version 3.6 or newer. A little searching on www.cisco.com > should uncover some sample configurations appropriate for your > client's needs. > > Good luck and have fun! Thanks Vincent & Walter for your replies. My difficulty here was having to talk a colleague through this remotely and get him to run the debugs. It was only after I thought about NAT-T. I'll see if I can access the device myslef to troubleshoot first hand. Regards Darren | |||||||||||||||||||||||||
|
Posted by Darren Green on November 8, 2005, 2:45 am
Please log in for more thread options Vincent C Jones wrote:
>
> This topic has been around for years (see > http://www.sans.org/rr/whitepapers/vpns/731.php) and discussed > multiple times in this forum, you might try a search for "NAT > traversal" and IPsec, the problems are not limited to Cisco and > there are more than one. You seem to be getting hung up on the > initial key exchange which uses port 500. Your NAT is probably > assuming overloading and changing the port to one Cisco does not > recognize. Once you get past the key exchange, you'll also be > challenged by the NAT interfering with AH and ESP. > > Bottom Line: The NAT Traversal (NAT-T) feature, introduced in > PIX Firewall version 6.3, is required to establish an IPsec tunnel > through an external NAT. If you are not running at least PIX OS 6.3, > you will need to upgrade. Similarly, your Cisco VPN client must > be at version 3.6 or newer. A little searching on www.cisco.com > should uncover some sample configurations appropriate for your > client's needs. > > Good luck and have fun! Thanks Vincent & Walter for your replies. My difficulty here was having to talk a colleague through this remotely and get him to run the debugs. It was only after I thought about NAT-T. I'll see if I can access the device myslef to troubleshoot first hand. Regards Darren | |||||||||||||||||||||||||
| Similar Threads | Posted |
| GRE Tunnel up/up Cannot ping tunnel interface | March 6, 2006, 3:55 pm |
| VPN tunnel | July 25, 2005, 8:10 pm |
| GRE Tunnel - one way ? | September 30, 2005, 6:39 am |
| Best MTU value for our VPN tunnel | October 11, 2005, 10:39 pm |
| NAT-T + VPN Tunnel | November 6, 2005, 4:06 am |
| 515 & 501 VPN Tunnel Help | April 4, 2006, 12:47 pm |
| GRE Tunnel | November 21, 2005, 8:38 pm |
| PLEASE HELP - GRE tunnel | September 5, 2006, 7:43 pm |
| NAT w Tunnel | January 25, 2007, 9:06 am |
| GRE tunnel and NAT | May 20, 2008, 10:52 pm |
| syslog through tunnel | February 11, 2005, 9:55 am |
| Help With 1710 to Pix 501 VPN Tunnel | July 24, 2005, 8:51 pm |
| tunnel interface ip | September 14, 2005, 1:37 pm |
| PIX 7.0.4 tunnel all traffic. | November 3, 2005, 12:27 pm |
| routing vpn tunnel | December 22, 2005, 10:53 am |