cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
685
Views
0
Helpful
4
Replies

NAT/PAT VPN Client Through PIX

eh2os
Level 1
Level 1

I am sure this is an oldie, but let me ask it again. I have a PIX 506E running 6.3.4. It is terminiating PIX to PIX VPN connections for our enterprise. I have endusers who need to connect to a customer network through the PIX 506E via a Nortel Conntivity VPN Client. I have very loose outbound access-list (switching this to a default deny as we speak) and have allowed AH and ESP inbound to the outside interface from the remote VPN Server. I keep getting this error:

305006: portmap translation creation failed for protocol 50

I am PATing everything to the address of the outside interface of the PIX.

Any thoughts ?

Eric Watters

Atlanta, Ga.

4 Replies 4

sebastan_bach
Level 4
Level 4

hi first of all u don;t need to set natting for the vpn users. and incase u are setting natting for them. set the fixup for esp and also the isakmp keepalives to negotiate nat-t.

hope this helps.

regards

sebastan

Thanks for the resposne. I just mentioned the PAT to get the point across that I was not statically NATing the internal users to their own IPs. The PAT is in place for all outbound traffic. I have read that you can only use the fixup for ESP if the PIX isn't also terminating other IPSEC VPN Connections (which it is). It is part of a VPN meshed network. Lastly, I have read that even if the PIX weren't terminating VPN Connections, that the fixup would only allow 1 VPN Connection from an internal client at a time. And that won't work because I have 14 users who need to access this remote network. Have I been mis-lead or have I mis-read. Thanks for the help !

Eric Watters

Atlanta, Ga.

Yes .. you are correct .. the fixup only allows one IPsec connection at the same time and can't be applied when you are already terminating a VPN tunnel on the PIX in fact if you try to type in the fix up you will receive an error message .. What you could try is finding out whether the client supports nat-transaparency and which ports does it use for it .. For example a cisco client uses UDP 4500 or TCP 10000 by default then your could try creating an access-list which allows udp 4500, 500, and TCP 10000 ( in the case of the cisco client ) .. this needs to be applied to the outside and inside interfaces on the inbound direction.

The issue is basically incompatibility between ESP and NAT/PAT .. but the transparency feature will encapsulate the ESP packet on a UDP header and the PAT should work .. I have not done this myself and so please let us know how you go.

Please let me know how you go .. and rate it if it helps ..

Well, as mentioned there is issues between PAT and IPSEC. If those who wants VPN to the nortel are limited, you can create static NAT's for them and then allow ESP and AH to their IP addresses. This would work 100%. However, this depend on how many are they and if this is feasible for you.

Please rate if this helps,