port-forward vpn?????

Answered Question
Sep 4th, 2010

Hey everyone,

Here is the situation I have a sidewinder firewall just behind a Cisco 2811 router. The router has one external public IP, so it is providing NAT overload (PAT). I want to allow users to connect to my network using a ipsec vpn to the firewall. Due to design issues I cannot put the firewall directly on the Internet. Now here is my question do I need to port-forward the ipsec vpn from the router to the firewall? And now the big rookie question if I do have to port-forward how do I do that?

Thanks for the help,

Andrew

Correct Answer by praprama about 6 years 5 months ago

Hi,

Just to add a small detail here. Given that the firewall is going to be behind a NAT device, NAT-T hsould detect this fact and hence force further VPN transactions ot use UDP port 4500 (or whatever is specified on the firewall). So in addition to the port-forwarding for UDP 500, you will just need a port forward for UDP port 4500 (or what is specified on the firewall of yours). So you will need to ensure that NAT-Traversal is enabled on the firewall.

The NAT for ESP hence may not be necessary.

Let me know if this helps!!

Thanks and Regards,

Prapanch

Correct Answer by Federico Coto F... about 6 years 5 months ago

Andrew,

I'm not sure if that firewall supports port-forwarding or how to do it, but you will need to redirect

UDP port 500

IP protocol ESP

UDP port 4500

So, if this was a cisco device you create a port forwarding rule to redirect the above ports to the internal firewall.

To do the port forwarding in the router you do:

ip nat inside source static udp x.x.x.x 500 interface 500

ip nat inside source static udp x.x.x.x 4500 interface 500

ip nat inside source static esp x.x.x.x interface

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Federico Coto F... Sat, 09/04/2010 - 17:02

Andrew,

I'm not sure if that firewall supports port-forwarding or how to do it, but you will need to redirect

UDP port 500

IP protocol ESP

UDP port 4500

So, if this was a cisco device you create a port forwarding rule to redirect the above ports to the internal firewall.

To do the port forwarding in the router you do:

ip nat inside source static udp x.x.x.x 500 interface 500

ip nat inside source static udp x.x.x.x 4500 interface 500

ip nat inside source static esp x.x.x.x interface

Federico.

Correct Answer
praprama Sat, 09/04/2010 - 23:31

Hi,

Just to add a small detail here. Given that the firewall is going to be behind a NAT device, NAT-T hsould detect this fact and hence force further VPN transactions ot use UDP port 4500 (or whatever is specified on the firewall). So in addition to the port-forwarding for UDP 500, you will just need a port forward for UDP port 4500 (or what is specified on the firewall of yours). So you will need to ensure that NAT-Traversal is enabled on the firewall.

The NAT for ESP hence may not be necessary.

Let me know if this helps!!

Thanks and Regards,

Prapanch

amorphism Thu, 09/09/2010 - 18:04

Federico and Prapanch,

That work like a charm. I didn't have to forward the esp protocol, Just ports 500 and 4500.

Thanks for the help,

Andrew

praprama Thu, 09/09/2010 - 19:06

Hi Andrew,

Glad to know that it's working

Regards,

Prapanch

Actions

This Discussion