What is NAT-T, how do I forward ports?

Unanswered Question
Feb 15th, 2007

I'm having an issue with my VPN software connecting to a remote PIX. It had to go through my home PIX first.

I was told to use NAT-T and forward UDP 4500 but I don't know how to do either of these.

Can anyone help please? I've been trying to get this working for almost 2 weeks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 02/15/2007 - 13:09

Add "isakmp nat-traversal" to pix. This will allow ipsec to function with pat. UDP 4500 is the port that ipsec over udp uses for udp encapsulation of esp packets.

Kamal Malhotra Thu, 02/15/2007 - 13:31

Hi,

In the VPN client application, select the specific connection entry, modify it, goto transport tab and make sure 'Enable Transparent Tunneling' is checked and the 'IPSEC over UDP (NAT/PAT) is selected.

HTH,

Kamal

m-jankowski Fri, 02/16/2007 - 06:55

Great suggestions... I appreciate your responses however it still does not work.. unless I am missing something I think it would be better if I posted my config? Also maybe a step by step to configure it would help.

acomiskey Fri, 02/16/2007 - 06:58

Yes, post your config, remove all sensitive information..passwords etc.

m-jankowski Fri, 02/16/2007 - 15:22

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname pixfirewall

domain-name ciscopix.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_access_in permit ip any any

pager lines 24

logging on

logging console informational

logging buffered informational

icmp deny any outside

mtu outside 1500

mtu inside 4000

ip address outside dhcp setroute retry 4

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.255 inside

pdm location 0.0.0.0 255.0.0.0 outside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location 68.66.174.196 255.255.255.255 outside

pdm logging informational 200

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

rip inside passive version 2

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

isakmp enable outside

isakmp enable inside

isakmp identity address

isakmp nat-traversal 20

telnet timeout 5

ssh 192.168.1.0 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.199 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username password

encrypted privilege 15

terminal width 80

Cryptochecksum:

: end

[OK]

Kamal Malhotra Fri, 02/16/2007 - 15:41

Hi,

Please try this :

access-list outside_in permit udp any any eq 500

access-list outside_in permit udp any any eq 4500

access-group outside_in in interface outside

You can replace the source 'any' with the remote peer's public IP address.

HTH,

Regards,

Kamal

m-jankowski Fri, 02/16/2007 - 16:04

Is there a command that i can use to send that to the PIX? I tried sending that and it didn't change anything in the access list.

Kamal Malhotra Fri, 02/16/2007 - 16:26

Hi Marc,

These are three different commands :

access-list outside_in permit udp any any eq 500

access-list outside_in permit udp any any eq 4500

access-group outside_in in interface outside

Please login to the PIX using telnet or SSH and paste these commands. If you access using PDM then goto 'Tools' and 'Command Line Interface' and the paste one command at a time.

It should work.

Regards,

Kamal

m-jankowski Fri, 02/16/2007 - 17:17

It still wont let me browse the remote network. Just to clarify... I disconnected the PIX today and went right through the cable modem.. no firewall and everything worked.

m-jankowski Fri, 02/16/2007 - 18:03

I reset the PIX to factory defaults and reinputted those commands. Still wont let me browse the network or use remote desktop

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_in permit udp any any eq isakmp

access-list outside_in permit udp any any eq 4500

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

isakmp nat-traversal 20

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

: end

[OK]

m-jankowski Fri, 02/16/2007 - 18:38

I'm getting this error in my logs..

3 Feb 17 2007 02:30:24 305006: portmap tranlation cration failed for protocol 50 src inside: *My computer* dst outside: *Remote Site*

m-jankowski Fri, 02/16/2007 - 18:45

After a quick search I found that these three commands needed to be run:

fixup protocol esp-ike

access-list outside_access_in permit esp any any

access-group outside_access_in in interface outside

Apparently... the PIX was blocking protol 50 which is the ESP/encapsulating protocol for IPsec? Oh well either way it works. Thank you all for your help.. someone should write an article about this.

acomiskey Mon, 02/19/2007 - 06:36

It should not be that way.

Going back to the original problem, what pix are we dealing with, local or remote?

You need to add "isakmp nat-traversal" to remote pix.

As it is now, you are not running nat-t and will not be able to establish more than 1 vpn session.

m-jankowski Tue, 02/20/2007 - 08:03

The problem has nothing to do with the remote PIX. The local PIX was blocking the VPN connections.

acomiskey Tue, 02/20/2007 - 08:48

Like I said, the original problem would have been solved with "isakmp nat-traversal" in REMOTE pix, not in the local pix. What you did with "fixup protocol esp-ike" is allow 1 single vpn connection through pat. As soon as you try a 2nd connection, the 1st will be dropped. This is fine as long as you only need 1 vpn connection outbound. Just letting you know there is another way since you didn't really seem to understand what was going on.

m-jankowski Wed, 02/21/2007 - 16:40

I checked the remote PIX. I has isakmp nat-traversal enabled.. so if you have another idea as to why it wasn't working then please share.

acomiskey Wed, 02/21/2007 - 19:40

sorry bout that, at least you got it working, have you tried more than 1 vpn at a time?

m-jankowski Fri, 02/23/2007 - 01:43

No, the fixup wont allow it. Which is a problem as you mentioned. I need to figure out why the connection is being blocked... but for now I can get my work done so I'm happy. Although soon I'll be needing to connect to here 24/7.

Actions

This Discussion