Re: VPN from inside PIX question

scottosan · ‎11-15-2004

At one of my sites, we set up a 501 with a DSL connection for guests to use to get internet access and VPN back to their office. Currently we have a pool of 5 static addresses. The global command on the outside implies the pool of IP's to be used. The problem is any more than 5 guests, the 6th person can not get internet access.

My question is if I use the following commands will this fix my problem and allow multiple users to VPN ?

global (ouside) 1 interface

and

isakmp nat-transversal

Thanks,

Scott

Patrick Iseli · ‎11-15-2004

The global (outside) 1 interface will activate PAT - Port address translation. I supose you had previously configured NAT.

Yes this will solve your outbound address limitation.

The isakmp nat-transversal is not for outbound VPN connection issues it is for inbound VPN issues.

isakmp nat-traversal

Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.

The firewall supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps. NAT traversal is disabled by default on the firewall.

To enable NAT traversal, check that ISAKMP is enabled (you can enable it with the isakmp enable if_name command) and then use the isakmp nat-traversal [natkeepalive] command. (This command appears in the configuration if both ISAKMP is enabled and NAT traversal is enabled.) If you have enabled NAT traversal, you can disable it with the no isakmp nat-traversal command. Valid values for natkeepalive are from 10 to 3600 seconds. The default is 20 seconds.

See: http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

You probably mean the fixup.

The fixup protocol esp-ike command enables PAT for Encapsulating Security Payload (ESP), single tunnel.

The fixup protocol esp-ike command is disabled by default. If a fixup protocol esp-ike command is issued, the fixup is turned on, and the firewall preserves the source port of the Internet Key Exchange (IKE) and creates a PAT translation for ESP traffic. Additionally, if the esp-ike fixup is on, ISAKMP cannot be turned on any interface.

See:http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

All refernce is for PIX OS 6.3.4 !

sincerely

Patrick

scottosan · ‎11-15-2004

Thank you for the quick response. ON the documentation it makes mention of single tunnel "

The fixup protocol esp-ike command enables PAT for Encapsulating Security Payload (ESP), single tunnel." What does the single tunnel mean?

I will try it in the morning.

Thanks,

Scott

scottosan · ‎11-15-2004

It appears that the fixup only allows for 1 IPSEC tunnel only. I need to be able to have multiple user be allow ipsec access out of the branch. ANy suggestions?

Thanks,

Scott

jczepiga · ‎11-16-2004

At this point, because you are doing PAT, it is only going to allow one IPSec VPN session through. What you really need to look at now is the other end of the VPN. If the VPN endpoint is set up to use IPSec over TCP or UDP, then it should work for multiple clients behind a NAT/PAT firewall.