VPN Client 3.0.3 and NAT

Unanswered Question
Mar 8th, 2002
User Badges:

We have a PIX3000 unit setup at our corporate office. I can currently access our network through the Cisco VPN Client Sofware version 3.0.3. I am curently doing this via dialup. I have been informed by my ISP that my local access number is changing. When I ran a test on this new access number I can still connect to the PIX unit, but I can no longer access the internal network. I beleive my ISP is switching me to NAT. What are my options? I currently have the box checked for IPSec through NAT. Thanks for any Help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
s.vidanovic Mon, 03/11/2002 - 23:54
User Badges:

Hi,


First, find out whether your ISP is doing NAT or PAT. If the NAT (one-to-one translation) is in place, then you have to ask your ISP to permit esp traffic trough their firewall (esp is IP traffic number 50). The story is like this: Your VPN client initiates connection from behind your ISP firewall to your remote PIX in order to establish the tunnel. PIX returns the traffic to your VPN client, and since this is the part of your session initiated from behind ISP firewall, traffic is permited, and you tunnel is built. But, when you want to communicate to your internal network, everything is IP protool number 50 traffic (esp), which is blocked on your ISP firewall. If ISP would do PAT (many-to-one translation) you would even not be able to establish the tunnel with your PIX. There are options to encapsulate esp traffic into UDP and TCP, but as far as I know, neither is supported with PIX (you need concentrator to do this). So, I would say, not much options...


Sasa

Hi! I have a related question. How does one VPN out from a 'behind the corporate firewall' to the remote VPN network? What needs to be configured on the corporate firewall to allow client VPN to establish a VPN connection to the remote network...


In other words my company has a firewall that does not allow direct connection to any outside address. For example if I want to ssh to an outside host I need to request that they map an internal address to the external address I need to get to and then open the firewall for that specific SSH connection.


How would one do so for VPN connections (I am using CISCO VPN client). What ports/etc does the VPN client need open to establish the connection? Where can I read technical docs regarding this matter?


Your help is much appreciated!!!


Cheers,

David

Actions

This Discussion