Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7436
Views
0
Helpful
4
Replies

port-forward vpn?????

Go to solution
amorphism
Level 1
Level 1

‎09-04-2010 04:18 PM

Hey everyone,

Here is the situation I have a sidewinder firewall just behind a Cisco 2811 router. The router has one external public IP, so it is providing NAT overload (PAT). I want to allow users to connect to my network using a ipsec vpn to the firewall. Due to design issues I cannot put the firewall directly on the Internet. Now here is my question do I need to port-forward the ipsec vpn from the router to the firewall? And now the big rookie question if I do have to port-forward how do I do that?

Thanks for the help,

Andrew

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-04-2010 05:02 PM

Andrew,

I'm not sure if that firewall supports port-forwarding or how to do it, but you will need to redirect

UDP port 500

IP protocol ESP

UDP port 4500

So, if this was a cisco device you create a port forwarding rule to redirect the above ports to the internal firewall.

To do the port forwarding in the router you do:

ip nat inside source static udp x.x.x.x 500 interface 500

ip nat inside source static udp x.x.x.x 4500 interface 500

ip nat inside source static esp x.x.x.x interface

Federico.

View solution in original post

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to Federico Coto Fajardo

‎09-04-2010 11:31 PM

Hi,

Just to add a small detail here. Given that the firewall is going to be behind a NAT device, NAT-T hsould detect this fact and hence force further VPN transactions ot use UDP port 4500 (or whatever is specified on the firewall). So in addition to the port-forwarding for UDP 500, you will just need a port forward for UDP port 4500 (or what is specified on the firewall of yours). So you will need to ensure that NAT-Traversal is enabled on the firewall.

The NAT for ESP hence may not be necessary.

Let me know if this helps!!

Thanks and Regards,

Prapanch

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-04-2010 05:02 PM

Andrew,

I'm not sure if that firewall supports port-forwarding or how to do it, but you will need to redirect

UDP port 500

IP protocol ESP

UDP port 4500

So, if this was a cisco device you create a port forwarding rule to redirect the above ports to the internal firewall.

To do the port forwarding in the router you do:

ip nat inside source static udp x.x.x.x 500 interface 500

ip nat inside source static udp x.x.x.x 4500 interface 500

ip nat inside source static esp x.x.x.x interface

Federico.

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to Federico Coto Fajardo

‎09-04-2010 11:31 PM

Hi,

Just to add a small detail here. Given that the firewall is going to be behind a NAT device, NAT-T hsould detect this fact and hence force further VPN transactions ot use UDP port 4500 (or whatever is specified on the firewall). So in addition to the port-forwarding for UDP 500, you will just need a port forward for UDP port 4500 (or what is specified on the firewall of yours). So you will need to ensure that NAT-Traversal is enabled on the firewall.

The NAT for ESP hence may not be necessary.

Let me know if this helps!!

Thanks and Regards,

Prapanch

0 Helpful

Go to solution
amorphism
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-09-2010 06:04 PM

Federico and Prapanch,

That work like a charm. I didn't have to forward the esp protocol, Just ports 500 and 4500.

Thanks for the help,

Andrew

0 Helpful

Go to solution
praprama
Cisco Employee
Cisco Employee
In response to amorphism

‎09-09-2010 07:06 PM

Hi Andrew,

Glad to know that it's working

Regards,

Prapanch

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents