General discussion

Locked

VPN Tunnel on PIX

By gwilliams ·
Not sure if anyone will know this or not but worth a try. I have a PIX 515. I have several VPN's with clients already setup and working. We NAT our outgoing traffic to the internet to 1 global ip address, so really we are using PAT. I'm currently setting up a new VPN with a client but they need us to NAT all traffic over this particular tunnel to 1 global ip address. I'm not certain how to tell my PIX that traffic going over this tunnel needs to be this address. Does anyone know?

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to VPN Tunnel on PIX

I don't understand what the problem is with the client. your public IP address is your public IP address. NAT [or NAT overload] doesn't come into play on the public side of things. NAT is just the ability for a bunch of hosts on the LAN to gain internet access with 1 public address [saves on public addresses an ISP has to assign [and saves you the cost of having a bunch of public addresses.

Collapse -

by CG IT In reply to

note: VPN is PPTP over port 1723 and IP port 47 [GRE] so the addressing for VPN over is your public address XXX.XXX.XXX.XXX:1723

L2TP is port 115

IPSec: Kerberos uses port 88, and 500 for ISA Key management.

SSL VPN uses port 443

Collapse -

by CG IT In reply to

so as you can see, NAT doesn't mean anything on the WAN side. Whatever router you use will add your public address in the header so that it hides your private LAN addresses and allow you to use private addressing on your LAN. Without NAT, every computer on your LAN would have to have a public address to gain access to the Internet.

Collapse -

by gwilliams In reply to VPN Tunnel on PIX

Right, I understand that. What I'm not sure about is what the remote side will see when our traffic crosses the tunnel. From what you stated they will see our NAT address. Fine if that's what happens but I thought that over a VPN tunnel they would see our local addresses. Maybe I was wrong.
In other words, when we hit the internet they see (public NAT address) when we travel over a VPN tunnel they see our local addresses. Is this right or wrong.

Collapse -

by CG IT In reply to VPN Tunnel on PIX

Ah ok, they won't see your LAN due to DHCP Relay agent providing them a local LAN address.

Collapse -

Yes

by gp1200x In reply to VPN Tunnel on PIX

You can do want they are asking...your source IP is the outside natted address that is encrypted over the tunnel. You simply nat the traffic over the tunnel instead of having it not natted. You could use the global outside address...or another address out on that subnet...or any address that you wished...ex...you could make them all look like they are coming from a specific IP address that they give yo to use. I know this all works, I have done it all over the last few years...worked at a large company as a consultant and was asked to do just about anything weird and non-standard that you can think of. Remember that the tunnel cryptos are for packets that HAVE already passed through the PIX inside to the PIX outside interface....very important point. That means that the natting or non-natting is involving packets from the inside to the outside....then those packets are inspected for whether or not they match the crypto access lists.. You cannot configure PIXs unless you fully understand the logic behind when the access-lists are applied AND the order of these access lists. SO it is in this order... inside access list - natting or nonattting to the global or unique addresses or other natted addresses - then the cyrpto access lists if they match the final natteed, nonatted or global. Reverse order is (for VPNNed packets) crypto access decrypts packets, external access list is then hit..if sysopt conn permt not used

Back to Networks Forum
6 total posts (Page 1 of 1)  

Hardware Forums