01-16-2004 09:43 AM - edited 02-21-2020 01:00 PM
My customer has a pix firewall and his ISP is Quest. Quest is doing nat and pat for him upstream. He would now like to have workers VPN in from home but the firewall does not have a legal address on the outside interface, it is translated upstream. Will this be a problem if his outside address is 172.16.40.2 and upstream it is translated to a legale address? Will there need to be any special config on the pix to accomidate this?
01-16-2004 11:07 AM
Hello is this thing on.......
01-16-2004 02:53 PM
Hi,
This could be a problem, depending on the version you´re running. As long as you´re running PIX-OS 6.3.x and configured the command "isakmp nat-traversal" you should be fine.
Kind Regards,
Leo
01-18-2004 08:21 AM
Yes, this will most likely not work as 172.16.40.2 is part of the RFC 1918 address space. This means that this address is marked as a private address and is therefore not routable. No ISP is going to have routing information to tell the home users how to get to this address so the connection attempts will fail. You may be able to talk to Quest and see if they are statically mapping this adress to a publically routable address on their side. If so, you might be able to use the public address for your users to connect to. Hope this helps.
Scott
01-18-2004 09:17 AM
Scott
Quest is translateing the address upstream, And yes I am well aware that a 172.16.x.x address is not routable.
01-19-2004 05:55 AM
OK, then I guess I am confused as to your question. How would you propose that this work then?
Scott
01-19-2004 06:56 AM
Scott
Just I said in my orignal post. Quest is doing all the nating and translations upstream. The firewall is pointing to Quest. When someone on the outside access the Co. web server, quest translate the address to an internal address and sends it to the firewall. So my question is: Since the firewall has a private outside address and is translated upstream at Quest will VPN work.
01-19-2004 07:59 AM
I am so sorry for asking you to repeat yourself when asking for help. Your original question was so clear....
This should work fine assuming that the NAT device Quest uses can translate ESP (protocol 50) packets (which they probably can). You will, of course, need to know the public address that they use for the translation. However, there is nothing special required in the PIX config to terminate the VPN tunnels. As far as the PIX is concerned, he is just looking for IPSec packets destined for his outside IP address (whether that be a public or private address range).
Scott
01-19-2004 12:49 PM
In addition to Scott I would like to add that having the command isakmp nat-traversal is also required when you want to have VPN clients connecting to the cusomers PIX. In most cases the users real IP is also translated somewhere on the path. In these cases UDP 500 (which is also used for IPsec) will not always return to the client (especially when PAT is involved). So, not having isakmp traversal could give problems with some clients and thus it is better to have this in place on your config.
I agree with Scott that having a private address on the outside is no problem at all, as long as Quest does a static IP translation for you.
Kind Regards,
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide