topic Re: NAT question in Network Security

NAT question

whiteford — Mon, 11 Mar 2019 10:45:12 GMT

We have many users that connect to a remote VPN. They use a local client on Windows XP, but the only way we can get them to connect is by giving each user a public external IP address and NAT it to their private internal address and use the GRE IP protocal, we have no more public address left now. Is there a way where we can allow all users to just use one external IP or a pool of IP's to NAT? We only have one or two users (max) that connect to this VPN?

Thanks

Re: NAT question

mattiaseriksson — Mon, 16 Jul 2007 14:09:11 GMT

If I understand you correct, you want to let outbound PPTP traffic pass through your firewall without using 1:1 NAT as you are currently doing, but rather use a single public IP (PAT)?

I really depends on what firewall you are using, but if you have a PIX firewall running OS 6.3 or later, you can use the command 'fixup protocol pptp 1723'.

This will let PPTP traffic traverse the PIX when configured for PAT, performing stateful PPTP packet inspection in the process.

Re: NAT question

whiteford — Mon, 16 Jul 2007 14:42:12 GMT

It's a Pix with that version, how can I do this in the ADSM?

Re: NAT question

mattiaseriksson — Mon, 16 Jul 2007 14:50:06 GMT

Try Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab and enable PPTP inspection.

Re: NAT question

whiteford — Mon, 16 Jul 2007 14:51:42 GMT

That's it? i wish I knew about this earlier 🙂 So what public address will all users use? plus and downtime on the Pix when I enable this?

Re: NAT question

mattiaseriksson — Mon, 16 Jul 2007 14:58:16 GMT

What address they will use depends on your NAT/PAT configurations. You can let them use the outside interface address with PAT if you want.

There should not be any downtime (unless you also change NAT configuration and clear the translation table).

Re: NAT question

whiteford — Mon, 16 Jul 2007 20:32:15 GMT

ok, once I tick that "PPTP" box what should I do for the NAT/PAT config, explained in an idiots guide please 🙂 as this is new to me.

Many thanks inadvance for you help

Re: NAT question

mattiaseriksson — Mon, 16 Jul 2007 20:52:42 GMT

You said you are using static NAT for computers that connect through vpn, and I guess that other computers are accessing internet through the same firewall using dynamic NAT?

Then you only have to remove the statics, and all computers should have the same NAT policy applied.

To configure dynamic NAT the easiest way is to use the interface address:

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

Replace 10.0.0.0 with whatever network you are using internally.

This will translate all internal source addresses to the outside interface address.

Have a look here for some ideas of how to control NAT with ASDM:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f31a.shtml

Re: NAT question

whiteford — Tue, 17 Jul 2007 06:15:06 GMT

Would I have to still create a security policy for example allow 10.0.0.0 255.0.0.0 on PPTP and GRE?

Re: NAT question

mattiaseriksson — Tue, 17 Jul 2007 07:32:13 GMT

If you have an outbound ACL you should make sure that PPTP control traffic is allowed out (TCP port 1723). The inspection engine dynamically creates the GRE connections and translations necessary to permit PPTP traffic.

Re: NAT question

whiteford — Tue, 17 Jul 2007 09:41:23 GMT

I noticed that there is no NAT rules on the Outside interface do I need to do this for all our VLAN/Subnets? of leabe this all blank?

Re: NAT question

mattiaseriksson — Tue, 17 Jul 2007 09:52:13 GMT

The source network is on your inside interface, and you can specify every subnet that you use, or just use 0.0.0.0 mask 0.0.0.0 to translate every subnet.

Then you need to add a dynamic pool on the outside interface. It can be a range of addresses or the ouside interface address.

Easiest way to do it is, of course, to just enter these two lines:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Re: NAT question

whiteford — Tue, 17 Jul 2007 09:55:03 GMT

Will there be any downtime when I apply this?

Re: NAT question

mattiaseriksson — Tue, 17 Jul 2007 09:57:35 GMT

It depends on your existing NAT configuration. Can you attach the configuration?