issues with vpn through firewall/proxy setup

Answered Question
Jan 29th, 2003
User Badges:

Hi,

I want to access vpn through firewall/proxy in the client side(VPN Client).

I've installed vpn gateway as pix 515 firewall using Microsoft CA IKE SA.


I want to establish vpn tunnel from my vpn client through a proxy/firewall.


I've tried in some vpn client places where the firewall acts as a linux box in which its enabled with the ipsec and esp NAT functionality. Its working perfectly. But only one concurrent vpn client. Also the first vpn tunnel disconnects when the second user tries without knowing the first established tunnel.


I heard that we can workout this issue using "NAT Taversal" mode which comes in pix ios 6.3 version as like Cisco 3000 Concentrator.


I want to know how the NAT Traversal can solve my issue in which more than one concurrent user without esp nat support in a firewall/proxy setup or only one concurrent user without esp nat support in a firewall/proxy setup.


Thanks,

Karthikeyan V

Correct Answer by gfullage about 14 years 6 months ago

Yes, PIX v6.3 will support NAT-T, and if you use the VPN client, whihc also supports NAT-T, then they'll be able to connect thru Linux devices.


v6.3 should be available in March.

Correct Answer by gfullage about 14 years 6 months ago

The VPN client is able to detect that it has gone through a NAT/PAT device on the way to the concentrator/PIX, and then if both ends support it, they'll automatically start NAT-T and encapsulate the IPSec packets into UDP port 4500 packets. These are then able to be NAT'd properly and you won't get the disconnections or the problems you're currently seeing.


The reason you see only one client being able to connect and clients being disconnected when another connects is that your PAT device cannot handle the ISAKMP and IPSec packets properly. This is a fairly common symptom.


PIX v6.3 code will support NAT-T, should be available in March sometime.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Correct Answer
gfullage Wed, 01/29/2003 - 21:22
User Badges:
  • Cisco Employee,

The VPN client is able to detect that it has gone through a NAT/PAT device on the way to the concentrator/PIX, and then if both ends support it, they'll automatically start NAT-T and encapsulate the IPSec packets into UDP port 4500 packets. These are then able to be NAT'd properly and you won't get the disconnections or the problems you're currently seeing.


The reason you see only one client being able to connect and clients being disconnected when another connects is that your PAT device cannot handle the ISAKMP and IPSec packets properly. This is a fairly common symptom.


PIX v6.3 code will support NAT-T, should be available in March sometime.

vkarthik Thu, 01/30/2003 - 03:58
User Badges:

Please acknowledge my reply whether its correct or not.

From your valuble explanations I found that the pix ios 6.3 supports NAT-T and its supports multiple concorrent users through NAT/PAT device like linux.

Correct Answer
gfullage Thu, 01/30/2003 - 17:30
User Badges:
  • Cisco Employee,

Yes, PIX v6.3 will support NAT-T, and if you use the VPN client, whihc also supports NAT-T, then they'll be able to connect thru Linux devices.


v6.3 should be available in March.

Actions

This Discussion