Re: PIX outside interface with non routable address and VPN

apriore685 · ‎01-16-2004

My customer has a pix firewall and his ISP is Quest. Quest is doing nat and pat for him upstream. He would now like to have workers VPN in from home but the firewall does not have a legal address on the outside interface, it is translated upstream. Will this be a problem if his outside address is 172.16.40.2 and upstream it is translated to a legale address? Will there need to be any special config on the pix to accomidate this?

apriore685 · ‎01-16-2004

Hello is this thing on.......

l.mourits · ‎01-16-2004

Hi,

This could be a problem, depending on the version you´re running. As long as you´re running PIX-OS 6.3.x and configured the command "isakmp nat-traversal" you should be fine.

Kind Regards,

Leo

scoclayton · ‎01-18-2004

Yes, this will most likely not work as 172.16.40.2 is part of the RFC 1918 address space. This means that this address is marked as a private address and is therefore not routable. No ISP is going to have routing information to tell the home users how to get to this address so the connection attempts will fail. You may be able to talk to Quest and see if they are statically mapping this adress to a publically routable address on their side. If so, you might be able to use the public address for your users to connect to. Hope this helps.

Scott

apriore685 · ‎01-18-2004

Scott

Quest is translateing the address upstream, And yes I am well aware that a 172.16.x.x address is not routable.

scoclayton · ‎01-19-2004

OK, then I guess I am confused as to your question. How would you propose that this work then?

Scott

apriore685 · ‎01-19-2004

Scott

Just I said in my orignal post. Quest is doing all the nating and translations upstream. The firewall is pointing to Quest. When someone on the outside access the Co. web server, quest translate the address to an internal address and sends it to the firewall. So my question is: Since the firewall has a private outside address and is translated upstream at Quest will VPN work.

scoclayton · ‎01-19-2004

I am so sorry for asking you to repeat yourself when asking for help. Your original question was so clear....

This should work fine assuming that the NAT device Quest uses can translate ESP (protocol 50) packets (which they probably can). You will, of course, need to know the public address that they use for the translation. However, there is nothing special required in the PIX config to terminate the VPN tunnels. As far as the PIX is concerned, he is just looking for IPSec packets destined for his outside IP address (whether that be a public or private address range).

Scott

l.mourits · ‎01-19-2004

In addition to Scott I would like to add that having the command isakmp nat-traversal is also required when you want to have VPN clients connecting to the cusomers PIX. In most cases the users real IP is also translated somewhere on the path. In these cases UDP 500 (which is also used for IPsec) will not always return to the client (especially when PAT is involved). So, not having isakmp traversal could give problems with some clients and thus it is better to have this in place on your config.

I agree with Scott that having a private address on the outside is no problem at all, as long as Quest does a static IP translation for you.

Kind Regards,

Leo