Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
0
Helpful
2
Replies

PIX and IPsec over TCP

mplant
Level 1
Level 1

‎06-03-2002 07:10 PM - edited ‎02-21-2020 11:46 AM

The only documentation I can find suggests using a VPN Concentrator to allow clients to use the IPsec over TCP configuration from their VPN client software, rather than a PIX.

My client wants to allow consultants who are behind their own firewall to have VPN access to their network, but NAT issues are raised (NAT at the consultants end).

Any ideas on whether a) the PIX (6.2) now supports this, or b) an alternative?

Thanks,

Mike.

Labels:
0 Helpful
2 Replies 2

cjacinto
Cisco Employee
Cisco Employee

‎06-03-2002 08:34 PM

Current 6.2 of the PIX doesn't support IPSec over tcp yet. This is only being supported on the VPN 3000 as the vpn head end.

0 Helpful

s.vidanovic
Level 1
Level 1

‎06-04-2002 05:54 AM

Hello Mike,

Ask your consultants whether they are using one-to-one NAT or PAT (hiding address) at their site. If they are using one-to-one, you can set up the VPN. Recently, I had similar problems, and I can summarize my findings in the following three cases:

First case - No NAT

This is the case where client is using DialUp, Cable or ADSL to connect to local ISP and receives an official IP address. No NAT is being used. In this case everything is perfectly OK.

Second case - one-to-one NAT translation at the client side (after IPSec):

In this case, VPN client is sitting behind Firewall which performs One-To-One NAT translation (in PIX terminology – Range). In this case, IPSec VPN tunnel is established, but no further traffic is possible. Here is complete process:

1. VPN client initiates connection from behind remote firewall to headend firewall on IKE/UDP 500 in order to establish the IPSec tunnel. Translation for this connection is properly built on remote firewall.

2. Returned traffic from headend firewall to VPN Client (IKE/UDP 500) is permitted by remote firewall because connection is initiated from behind remote firewall. After negotiating security policy between VPN Client and headend firewall, IPSec tunnel is established.

3. VPN Client is now trying for example to connect to some web server inside headend network. Traffic is encrypted on the VPN Client site and sent out to headend firewall. However, returned traffic is blocked by inbound rules od remote firewall. This is ESP traffic (IP protocols 50). Workaround is to permit ESP inbound traffic on remote firewall:

conduit permit ip any any esp

Third case: Many-to-one translation (PAT) at the remote site

In this case, everything is the same as scenario 2, except that remote firewall in front of VPN Client is performing PAT, and not NAT. In this case, it is not even possible to establish the IPSec tunnel. In Syslog of headend there is a message: Deny inbound (no xlate) udp/500. Even with the rule allowing UDP/500 it does not work.

Hope it helps.

Sasa

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents