09-04-2010 04:18 PM
Hey everyone,
Here is the situation I have a sidewinder firewall just behind a Cisco 2811 router. The router has one external public IP, so it is providing NAT overload (PAT). I want to allow users to connect to my network using a ipsec vpn to the firewall. Due to design issues I cannot put the firewall directly on the Internet. Now here is my question do I need to port-forward the ipsec vpn from the router to the firewall? And now the big rookie question if I do have to port-forward how do I do that?
Thanks for the help,
Andrew
Solved! Go to Solution.
09-04-2010 05:02 PM
Andrew,
I'm not sure if that firewall supports port-forwarding or how to do it, but you will need to redirect
UDP port 500
IP protocol ESP
UDP port 4500
So, if this was a cisco device you create a port forwarding rule to redirect the above ports to the internal firewall.
To do the port forwarding in the router you do:
ip nat inside source static udp x.x.x.x 500 interface 500
ip nat inside source static udp x.x.x.x 4500 interface 500
ip nat inside source static esp x.x.x.x interface
Federico.
09-04-2010 11:31 PM
Hi,
Just to add a small detail here. Given that the firewall is going to be behind a NAT device, NAT-T hsould detect this fact and hence force further VPN transactions ot use UDP port 4500 (or whatever is specified on the firewall). So in addition to the port-forwarding for UDP 500, you will just need a port forward for UDP port 4500 (or what is specified on the firewall of yours). So you will need to ensure that NAT-Traversal is enabled on the firewall.
The NAT for ESP hence may not be necessary.
Let me know if this helps!!
Thanks and Regards,
Prapanch
09-04-2010 05:02 PM
Andrew,
I'm not sure if that firewall supports port-forwarding or how to do it, but you will need to redirect
UDP port 500
IP protocol ESP
UDP port 4500
So, if this was a cisco device you create a port forwarding rule to redirect the above ports to the internal firewall.
To do the port forwarding in the router you do:
ip nat inside source static udp x.x.x.x 500 interface 500
ip nat inside source static udp x.x.x.x 4500 interface 500
ip nat inside source static esp x.x.x.x interface
Federico.
09-04-2010 11:31 PM
Hi,
Just to add a small detail here. Given that the firewall is going to be behind a NAT device, NAT-T hsould detect this fact and hence force further VPN transactions ot use UDP port 4500 (or whatever is specified on the firewall). So in addition to the port-forwarding for UDP 500, you will just need a port forward for UDP port 4500 (or what is specified on the firewall of yours). So you will need to ensure that NAT-Traversal is enabled on the firewall.
The NAT for ESP hence may not be necessary.
Let me know if this helps!!
Thanks and Regards,
Prapanch
09-09-2010 06:04 PM
Federico and Prapanch,
That work like a charm. I didn't have to forward the esp protocol, Just ports 500 and 4500.
Thanks for the help,
Andrew
09-09-2010 07:06 PM
Hi Andrew,
Glad to know that it's working
Regards,
Prapanch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: