09-04-2010 04:18 PM
Hey everyone,
Here is the situation I have a sidewinder firewall just behind a Cisco 2811 router. The router has one external public IP, so it is providing NAT overload (PAT). I want to allow users to connect to my network using a ipsec vpn to the firewall. Due to design issues I cannot put the firewall directly on the Internet. Now here is my question do I need to port-forward the ipsec vpn from the router to the firewall? And now the big rookie question if I do have to port-forward how do I do that?
Thanks for the help,
Andrew
Solved! Go to Solution.
09-04-2010 05:02 PM
Andrew,
I'm not sure if that firewall supports port-forwarding or how to do it, but you will need to redirect
UDP port 500
IP protocol ESP
UDP port 4500
So, if this was a cisco device you create a port forwarding rule to redirect the above ports to the internal firewall.
To do the port forwarding in the router you do:
ip nat inside source static udp x.x.x.x 500 interface 500
ip nat inside source static udp x.x.x.x 4500 interface 500
ip nat inside source static esp x.x.x.x interface
Federico.
09-04-2010 11:31 PM
Hi,
Just to add a small detail here. Given that the firewall is going to be behind a NAT device, NAT-T hsould detect this fact and hence force further VPN transactions ot use UDP port 4500 (or whatever is specified on the firewall). So in addition to the port-forwarding for UDP 500, you will just need a port forward for UDP port 4500 (or what is specified on the firewall of yours). So you will need to ensure that NAT-Traversal is enabled on the firewall.
The NAT for ESP hence may not be necessary.
Let me know if this helps!!
Thanks and Regards,
Prapanch
09-04-2010 05:02 PM
Andrew,
I'm not sure if that firewall supports port-forwarding or how to do it, but you will need to redirect
UDP port 500
IP protocol ESP
UDP port 4500
So, if this was a cisco device you create a port forwarding rule to redirect the above ports to the internal firewall.
To do the port forwarding in the router you do:
ip nat inside source static udp x.x.x.x 500 interface 500
ip nat inside source static udp x.x.x.x 4500 interface 500
ip nat inside source static esp x.x.x.x interface
Federico.
09-04-2010 11:31 PM
Hi,
Just to add a small detail here. Given that the firewall is going to be behind a NAT device, NAT-T hsould detect this fact and hence force further VPN transactions ot use UDP port 4500 (or whatever is specified on the firewall). So in addition to the port-forwarding for UDP 500, you will just need a port forward for UDP port 4500 (or what is specified on the firewall of yours). So you will need to ensure that NAT-Traversal is enabled on the firewall.
The NAT for ESP hence may not be necessary.
Let me know if this helps!!
Thanks and Regards,
Prapanch
09-09-2010 06:04 PM
Federico and Prapanch,
That work like a charm. I didn't have to forward the esp protocol, Just ports 500 and 4500.
Thanks for the help,
Andrew
09-09-2010 07:06 PM
Hi Andrew,
Glad to know that it's working
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide