01-13-2003 08:06 AM - edited 02-21-2020 12:16 PM
Our PIX firewall allows everything established from the inside. In the past, we tried establishing VPN connections from inside our network to a VPN concentrator on the Internet and it didn't work. We were told that doing VPN from behind a firewall wasn't possible (I can't recall who told us that). Just last week however, we had a client doing VPN to their network through our firewall. I don't have the specifics on equipment or protocol. Techically, I would like to know what can and can't be done from the inside using VPN and understand the reasons. We have gone through a few upgrades on the PIX from v5.0 to v6.2 and I assume this may have something do with it. If someone could assist or direct me to some documentation that explains this in further detail, it would be very much appreciated.
Thanks!
Lori White
Solved! Go to Solution.
01-13-2003 05:49 PM
The big problem with IPSec through a firewall is not so much the filtering (the specific protocols can easily be let through), but generally the NAT'ing, or more specifically, the PAT'ing (Port Address Translation). VPN's use either IPSec or PPTP usually, both of which use a protocol that is not TCP or UDP based (ESP and GRE respectively). Whe ndoing PAT however, this relies on a TCP or UDP port number to differentiate between the different sessions, and so when a protocol comes in that doesn't have this, it is usually dropped by the PAT'ing device.
A lot of VPN solutions now have a feature called IPSec over UDP, or IPSec over TCP, or IPSec TRansparency, or whatever you want to call it. Basically the VPN client and concentrator encapsulate the IPSec ESP packets into a UDP or TCP packet depending on the implementation, this p[acket can then be PAT'd correctly and everything works fine. Your client was probably using something like this.
PIX 6.3 code will have support for IPSec and PAT, but only for one internal IPSec session. You're best bet is to see if whatever VPN software you're using supports some sort of UDP or TCP encapsulation, then you'll be off and running.
01-13-2003 05:49 PM
The big problem with IPSec through a firewall is not so much the filtering (the specific protocols can easily be let through), but generally the NAT'ing, or more specifically, the PAT'ing (Port Address Translation). VPN's use either IPSec or PPTP usually, both of which use a protocol that is not TCP or UDP based (ESP and GRE respectively). Whe ndoing PAT however, this relies on a TCP or UDP port number to differentiate between the different sessions, and so when a protocol comes in that doesn't have this, it is usually dropped by the PAT'ing device.
A lot of VPN solutions now have a feature called IPSec over UDP, or IPSec over TCP, or IPSec TRansparency, or whatever you want to call it. Basically the VPN client and concentrator encapsulate the IPSec ESP packets into a UDP or TCP packet depending on the implementation, this p[acket can then be PAT'd correctly and everything works fine. Your client was probably using something like this.
PIX 6.3 code will have support for IPSec and PAT, but only for one internal IPSec session. You're best bet is to see if whatever VPN software you're using supports some sort of UDP or TCP encapsulation, then you'll be off and running.
01-15-2003 08:20 AM
Hello,
So does this mean that the Cisco VPN Client supports this ?
"You're best bet is to see if whatever VPN software you're using supports some sort of UDP or TCP encapsulation, then you'll be off and running".
Is this the section of the VPN Client that has a configuration for:
"Use IPSEC over TCP" "TCP Port 10000"
I have tried this and cannot get it to work.
thanks
-pat
01-15-2003 09:21 AM
Both ends of the VPN will need to be support IPSec over TCP/UDP. The Cisco VPN client does indeed support this, as does the Cisco VPN Concentrator. The Pix however currently does not support it, so you can establish a VPN using IPSec over TCP/UDP from a Cisco VPN Client to a Concentrator, but not to a Pix.
Rgds
Kev
01-15-2003 03:28 PM
Thanks very much for the reply.
So if I understand you correctly, It is ok to behind a PIX with a client, as long as you are terminating the VPN tunnel to a concentrator?
-pat
01-15-2003 05:10 PM
Correctamundo, providing you set up both the VPN client AND the concentrator to do IPSec over TCP or UDP.
02-11-2003 01:15 PM
What is required to get any internal client behind the PIX to connect to any VPN host on the outside? From my understanding of the implicit rules, I thought since the connection was initiated from the inside, it would work find. It times out with error 721 if I do not add an access command similar to the following:
access-list acl-out permit gre any any
Is there a better way to accomplish this without opening us such a hole?
-Glenn
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide