General discussion

  • Creator
    Topic
  • #2196193

    VPN Tunnel on PIX

    Locked

    by gwilliams ·

    Not sure if anyone will know this or not but worth a try. I have a PIX 515. I have several VPN’s with clients already setup and working. We NAT our outgoing traffic to the internet to 1 global ip address, so really we are using PAT. I’m currently setting up a new VPN with a client but they need us to NAT all traffic over this particular tunnel to 1 global ip address. I’m not certain how to tell my PIX that traffic going over this tunnel needs to be this address. Does anyone know?

All Comments

  • Author
    Replies
    • #3113292

      Reply To: VPN Tunnel on PIX

      by cg it ·

      In reply to VPN Tunnel on PIX

      I don’t understand what the problem is with the client. your public IP address is your public IP address. NAT [or NAT overload] doesn’t come into play on the public side of things. NAT is just the ability for a bunch of hosts on the LAN to gain internet access with 1 public address [saves on public addresses an ISP has to assign [and saves you the cost of having a bunch of public addresses.

      • #3113282

        Reply To: VPN Tunnel on PIX

        by cg it ·

        In reply to Reply To: VPN Tunnel on PIX

        note: VPN is PPTP over port 1723 and IP port 47 [GRE] so the addressing for VPN over is your public address XXX.XXX.XXX.XXX:1723

        L2TP is port 115

        IPSec: Kerberos uses port 88, and 500 for ISA Key management.

        SSL VPN uses port 443

      • #3113271

        Reply To: VPN Tunnel on PIX

        by cg it ·

        In reply to Reply To: VPN Tunnel on PIX

        so as you can see, NAT doesn’t mean anything on the WAN side. Whatever router you use will add your public address in the header so that it hides your private LAN addresses and allow you to use private addressing on your LAN. Without NAT, every computer on your LAN would have to have a public address to gain access to the Internet.

    • #3113186

      Reply To: VPN Tunnel on PIX

      by gwilliams ·

      In reply to VPN Tunnel on PIX

      Right, I understand that. What I’m not sure about is what the remote side will see when our traffic crosses the tunnel. From what you stated they will see our NAT address. Fine if that’s what happens but I thought that over a VPN tunnel they would see our local addresses. Maybe I was wrong.
      In other words, when we hit the internet they see (public NAT address) when we travel over a VPN tunnel they see our local addresses. Is this right or wrong.

    • #3113086

      Reply To: VPN Tunnel on PIX

      by cg it ·

      In reply to VPN Tunnel on PIX

      Ah ok, they won’t see your LAN due to DHCP Relay agent providing them a local LAN address.

    • #2581339

      Yes

      by gp1200x ·

      In reply to VPN Tunnel on PIX

      You can do want they are asking…your source IP is the outside natted address that is encrypted over the tunnel. You simply nat the traffic over the tunnel instead of having it not natted. You could use the global outside address…or another address out on that subnet…or any address that you wished…ex…you could make them all look like they are coming from a specific IP address that they give yo to use. I know this all works, I have done it all over the last few years…worked at a large company as a consultant and was asked to do just about anything weird and non-standard that you can think of. Remember that the tunnel cryptos are for packets that HAVE already passed through the PIX inside to the PIX outside interface….very important point. That means that the natting or non-natting is involving packets from the inside to the outside….then those packets are inspected for whether or not they match the crypto access lists.. You cannot configure PIXs unless you fully understand the logic behind when the access-lists are applied AND the order of these access lists. SO it is in this order… inside access list – natting or nonattting to the global or unique addresses or other natted addresses – then the cyrpto access lists if they match the final natteed, nonatted or global. Reverse order is (for VPNNed packets) crypto access decrypts packets, external access list is then hit..if sysopt conn permt not used

Viewing 3 reply threads