09-17-2002 04:04 PM - edited 02-21-2020 12:04 PM
I'm trying to set up the following:
PC1(vpn client)-|----DSL(NAT/PAT)----(internet)----Cisco1750(3DES-IPSEC)
|
PC2(vpn client)-|
The idea here is to be able to terminate VPN's through a DSL device that's doing PAT (NAT overload). The issue here is to be able to initiate different
SA's (from different PC's using VPN client 3.x) that are initiated from the same
public IP add (the one given by the ISP for the DSL connection).
On the VPN client I saw an option that 'allows' me to use the client over
NAT/PAT/FIREWALL, but it calls for me to designate a particular TCP arrival port that will be used to send the IPSec request to the tunnel terminator; the thing here is that i haven't found any info on how to use this.
Anyone tried this setup? Do you have a URL/configs I can take a look at?
Thanks,
carlos.
09-18-2002 12:52 PM
The feature you're referring to is called transparent tunneling. It uses either TCP or UDP as a transport, thereby allowing it to work through PAT devices. As far as I know, it's only supported on the VPN concentrator (the PIX is supposed to support this on the next release).
Someone correct me if I'm wrong, but I don't think it's supoprted on the router (yet).
09-27-2002 04:23 AM
Yes, but routers can do PAT and pass thru IPSec. PIX - cannot (?).
Look at http://www.cisco.com/warp/public/471/ios_pat_ipsec_tunnel.html
though it is of no use for the initial question.
10-04-2002 04:27 AM
I know you can do the 'Allow IPSec over UDP' terminating on PiX 6.2(2), because I'm using it.
Have not been able to find out how to do 'IPSEC over TCP' though...
Not sure if it's possible using Router IOS.
10-26-2002 04:55 AM
It does work, but the transparent tunneling is irrelevant for router IOS because you're not tunneling thru to the actual IPSec device - the router _is_ the tunnel endpoint.
Yes, you can do NAT/PAT for vpns with different policies. Create different ipsec internal pools, and associate different SAs with those respective pools. Also, be sure to replace the existing NAT/PAT translations with the nonat route map shown in the IPSec examples.
-Jeff
11-25-2002 07:01 AM
Hi Jeff,
Here is my design:
VPN client 1--------|-----router----(IPSEC)---PIX
|
VPN client 2------- |
When i connect first with one client it's Ok!
When i connect the second client , the first one is dropped and the second is ok.
I'm doing PAT on the router and i'm uses UDP, router gets public IP address from ISP.
I've been said that multiple VPN clients cannot run at the same time behind PAT since IPSEC uses UDP port as source and destination address.
Are you sure it can work, if yes what should i implement on PIX ?
Regards,
10-29-2002 10:46 AM
I forgot to attach the working config, changed to remove my own stuff.
-Jeff
-----------------------------------------------------
username testvpn password 12345
!
ip subnet-zero
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp client configuration group mygroup
key mykey
dns 192.168.1.5
wins 192.168.1.5
domain mydomain.net
pool ipsec-pool
!
!
crypto ipsec transform-set bciset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
interface Ethernet0/0
description Connected to Cisco 2924 Port 24
ip address 192.168.1.100 255.255.255.0
ip nat inside
half-duplex
!
interface Ethernet0/1
description Outside public interface
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable
crypto map clientmap
!
router ospf 1
log-adjacency-changes
redistribute connected subnets
redistribute static subnets
network 10.0.0.0 0.255.255.255 area 0.0.0.0
network 172.16.0.0 0.0.31.255 area 0.0.0.0
network 192.168.0.0 0.0.255.255 area 0.0.0.0
default-information originate
!
ip local pool ipsec-pool 192.168.0.50 192.168.0.75
!
ip nat inside source route-map nonat interface Ethernet0/1 overload
!
!
access-list 191 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 191 permit ip 192.168.1.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 191
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide