Need to use Private IP's on 3005 behind FO PIX

ggolding · ‎01-09-2005

I have a customer who is trying to conserve their public IP addresses. The VPN 3005 is behind a failover PIX firewall in a DMZ zone, and I originally tried using static NAT on the PIX for the public IP of the 3005. However none of the LAN-to-LAN tunnels were able to be established. The remote devices are satellite routers running FreeSWAN. There was nothing on the logs of the 3005 to say what was going wrong, so I check the logs on the remotes, and the problem was obvious then.

The "peer" address configured at both ends is the public IP for each device. What was happening was the 3005 was presenting it's private IP to the remote host as it's peer address, so the remote site was tearing down the connection.

I have searched the forums etc, but have been unable to find any work-around for this. I have everything currently working by using all the public IP's in the DMZ, & that is working fine. I would just like to know where/how in the 3005 configuration can I tell it to present the public IP address to remote peers, as I am certain I have seen something like this behind a Checkpoint firewall & it was working.

Thanks in advance.

ehirsel · ‎01-10-2005

The link below is on the vpn 3030 version 4.1 tunnel config. Is this the version of code in use?

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/config/tunnel.htm

The main points are

1. Enable nat-t globally as well as for lan-to-lan tunnels on the 3030.

2. The firewall in front of the 3030 be configured to allow udp from the peers (allow any port value) to the concentrator at port 4500 on the outside interface and that it allows connections from the 3030 port 4500 to the remote peers at any port (the source and dest ports may not necessarily be the same). The nat-t will allow the firewall to do the necessary xlate based upon a static.

Let me know if this helps.