Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
4
Helpful
6
Replies

Question - VPN outbound on PIX

Go to solution
whitelori
Level 1
Level 1

‎01-13-2003 08:06 AM - edited ‎02-21-2020 12:16 PM

Our PIX firewall allows everything established from the inside. In the past, we tried establishing VPN connections from inside our network to a VPN concentrator on the Internet and it didn't work. We were told that doing VPN from behind a firewall wasn't possible (I can't recall who told us that). Just last week however, we had a client doing VPN to their network through our firewall. I don't have the specifics on equipment or protocol. Techically, I would like to know what can and can't be done from the inside using VPN and understand the reasons. We have gone through a few upgrades on the PIX from v5.0 to v6.2 and I assume this may have something do with it. If someone could assist or direct me to some documentation that explains this in further detail, it would be very much appreciated.

Thanks!

Lori White

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎01-13-2003 05:49 PM

The big problem with IPSec through a firewall is not so much the filtering (the specific protocols can easily be let through), but generally the NAT'ing, or more specifically, the PAT'ing (Port Address Translation). VPN's use either IPSec or PPTP usually, both of which use a protocol that is not TCP or UDP based (ESP and GRE respectively). Whe ndoing PAT however, this relies on a TCP or UDP port number to differentiate between the different sessions, and so when a protocol comes in that doesn't have this, it is usually dropped by the PAT'ing device.

A lot of VPN solutions now have a feature called IPSec over UDP, or IPSec over TCP, or IPSec TRansparency, or whatever you want to call it. Basically the VPN client and concentrator encapsulate the IPSec ESP packets into a UDP or TCP packet depending on the implementation, this p[acket can then be PAT'd correctly and everything works fine. Your client was probably using something like this.

PIX 6.3 code will have support for IPSec and PAT, but only for one internal IPSec session. You're best bet is to see if whatever VPN software you're using supports some sort of UDP or TCP encapsulation, then you'll be off and running.

View solution in original post

6 Replies 6

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎01-13-2003 05:49 PM

The big problem with IPSec through a firewall is not so much the filtering (the specific protocols can easily be let through), but generally the NAT'ing, or more specifically, the PAT'ing (Port Address Translation). VPN's use either IPSec or PPTP usually, both of which use a protocol that is not TCP or UDP based (ESP and GRE respectively). Whe ndoing PAT however, this relies on a TCP or UDP port number to differentiate between the different sessions, and so when a protocol comes in that doesn't have this, it is usually dropped by the PAT'ing device.

A lot of VPN solutions now have a feature called IPSec over UDP, or IPSec over TCP, or IPSec TRansparency, or whatever you want to call it. Basically the VPN client and concentrator encapsulate the IPSec ESP packets into a UDP or TCP packet depending on the implementation, this p[acket can then be PAT'd correctly and everything works fine. Your client was probably using something like this.

PIX 6.3 code will have support for IPSec and PAT, but only for one internal IPSec session. You're best bet is to see if whatever VPN software you're using supports some sort of UDP or TCP encapsulation, then you'll be off and running.

Go to solution
ptuttle
Level 1
Level 1
In response to gfullage

‎01-15-2003 08:20 AM

Hello,

So does this mean that the Cisco VPN Client supports this ?

"You're best bet is to see if whatever VPN software you're using supports some sort of UDP or TCP encapsulation, then you'll be off and running".

Is this the section of the VPN Client that has a configuration for:

"Use IPSEC over TCP" "TCP Port 10000"

I have tried this and cannot get it to work.

thanks

-pat

0 Helpful

Go to solution
kagodfrey
Level 3
Level 3
In response to ptuttle

‎01-15-2003 09:21 AM

Both ends of the VPN will need to be support IPSec over TCP/UDP. The Cisco VPN client does indeed support this, as does the Cisco VPN Concentrator. The Pix however currently does not support it, so you can establish a VPN using IPSec over TCP/UDP from a Cisco VPN Client to a Concentrator, but not to a Pix.

Rgds

Kev

0 Helpful

Go to solution
ptuttle
Level 1
Level 1
In response to kagodfrey

‎01-15-2003 03:28 PM

Thanks very much for the reply.

So if I understand you correctly, It is ok to behind a PIX with a client, as long as you are terminating the VPN tunnel to a concentrator?

-pat

0 Helpful

Go to solution
gfullage
Cisco Employee
Cisco Employee
In response to ptuttle

‎01-15-2003 05:10 PM

Correctamundo, providing you set up both the VPN client AND the concentrator to do IPSec over TCP or UDP.

0 Helpful

Go to solution
gjeff80
Level 1
Level 1
In response to gfullage

‎02-11-2003 01:15 PM

What is required to get any internal client behind the PIX to connect to any VPN host on the outside? From my understanding of the implicit rules, I thought since the connection was initiated from the inside, it would work find. It times out with error 721 if I do not add an access command similar to the following:

access-list acl-out permit gre any any

Is there a better way to accomplish this without opening us such a hole?

-Glenn

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents