Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1045
Views
0
Helpful
3
Replies

How to VPN out from inside a 'corporate firewall'?

dave8775
Level 1
Level 1

‎03-21-2002 12:05 AM - edited ‎02-21-2020 11:39 AM

Hi! How does one VPN out from a 'behind the corporate firewall' scenario to a remote network?

I found out that IPSec VPN uses ESP 50 and UDP 500 protocols and that if using transparent tunneling mode it can either encapsulate ESP 50 in UDP 500 (UDP) or both ESP 50 and UDP 500 inside TCP 10000 (TCP)--the later being ideal for overcoming stateful firewalls.

Unfortunately, my company has a firewall that does not allow direct connections to any outside internet address. For example, if I want to ssh to an outside host I need to request that they map an internal address to the external address I need to get to and then open the firewall for that specific SSH connection.

If I were to choose the TCP tunneling option and request an internal mapping of say 10.10.1.125 port 22 to map to 212.2.1.12 port 10000 (the standard VPN TCP port) and then configure the client as if the remote host was the internal address (10.10.1.125 port 22) whoud that work?

Your help is much appreciated!!!

Cheers,

David

Labels:
0 Helpful
3 Replies 3

fchurch
Level 1
Level 1

‎03-21-2002 08:07 AM

The short answer is that you need to request that they allow you to get to the IP address for the VPN and that they allow that VPN traffic back to you. In the senario you gave above it does not sound like the company you work for would be willing to do that. It is a simple process, but not one that you (the end user) control. It is controlled by the company, and more specifically the person(s) controlling the firewall.

0 Helpful

dave8775
Level 1
Level 1
In response to fchurch

‎03-21-2002 03:47 PM

Hi there,

thanks for replying! Effectively that mapping would give us access to the external concentrator and vice-versa. What I am not sure is whether that relay would cause the VPN to fail (or not) even if we use the TCP based tunneling... That mapping acts kinna like a temporary gateway to that external resource and to open that gate one needs to first authenticate to the firewall, and then use that internal address as if it were the destination (the firewall mapping takes care of the rest).

Any idea if that will work?

Regards,

David

0 Helpful

fchurch
Level 1
Level 1
In response to dave8775

‎03-21-2002 10:21 PM

Here is the basic how it works... Your PC internal IP gets a static map to an external IP address from the firewall. Your PC requests to go to the External IP address for VPN. Firewall allows you to. You get to the external IP address for VPN, and try to authenticate. The External IP address passes back information ESP and UDP. Your firewall has to allow that information through to your PC. If ESP and UDP are not specifically allowed from that specific IP address to your specific IP address, then you don't get to VPN to a remote host from inside your network.

Thats as basic of an answer as I can think of. There are other things involved, but I think that should give you a pretty good idea as to how the process works. As long as we are talking about a Cisco PIX box you don't make the connection without both of these things happening. If you are the one configuring the firewall and I misunderstood your entire question, then I could show you an example of the configuration you would need to connect to the remote VPN. I have done it a few times, and it works well.

0 Helpful
Customers Also Viewed These Support Documents