Cisco Support Community
Community Member

VPN Client Accessing a Cisco VPN Box Through a *nix Firewall

Greetings, all:

A problem has been tossed in my lap, and I could use some help on it. First, a bit of background:

I have a WAN connected to the Internet through a *nix packet-filtering firewall. All addresses in the WAN are static, as is the external address on the firewall. The WAN router, in the same subnet as the firewalls internal interface, has a static route in it to pass all unknown address traffic to the ip of the firewall's internal interface (whereupon, the traffic is then forwarded onto the Internet). The ip addresses in our WAN are neither registered to us (it's a long story...), nor are they the traditional 10., 172., 192.168. private network addresses. As such, we are performing network address translation to move traffic back and forth across the Internet.

The situation:

A neighboring county organization has come in to one of the departments serviced by this Internet connection and installed Cisco's VPN Client software on 4 PCs in our WAN. The hope is to get these PCs to make a VPN connection to their network. As I watched the installer work, he loaded MSIE, typed in the following address:

and waited for a connection. Eventually, the connection timed out. He has stated that each internal client must have a distinct IP address as the packets left the firewall. This conflicts with my NAT scheme, as when all packets leave my firewall, they all have the source address of the firewall's external IP. When pressed for more details (such as what port was being used), the installer appeared to become quickly confused, and started talking about Windows NT.

So, with all of that, can anyone give me a better idea of what this VPN Client might be doing, and what (generally speaking) must take place at the firewall to be able to pass the packets through? As luck would have it, I have just received a number of quotes for a Cisco VPN box to which I will be connecting a number of clients of my own, however, that project is not slated to begin until sometime in December. Other questions: Can anyone confirm the installer's statement that the Cisco VPN box must recognize each connection as having a distinct IP? What port does this service use? Finally, since the Cisco VPN Client is using IPSec (as best I can tell), Can the Cisco VPN Client be used with other IPSec VPNs, and can other IPSec Clients be used with the Cisco VPN boxes?

Thanks in advance!

:Rich Lohman

Community Member

Re: VPN Client Accessing a Cisco VPN Box Through a *nix Firewall

Rich, it would help knowing which client and vpn concentrator they're using. Without knowing that, the VPN3000 client has a checkbox in Options/Properties/General for "allow IPSEC thru NAT mode". Of course the concentrator on the other end has to be config'd to allow that. If that doesn't work, you may be able to pass UDP 500 and Protocol 50. I just got this working through both a proxy server and firewall on the client side, and used the later. If you can't use the NAT checkbox, you will probably have to give the clients a static address on the outside for the port solution to work unless you can convince them to only use it one-at-a-time. ;)

Community Member

Re: VPN Client Accessing a Cisco VPN Box Through a *nix Firewall

Your problem is a result of trying to pass IPSEC traffic through a device that performs PAT (port Address Translation). The installer is incorrect in his statement that a unique (Internet routable address) for each VPN client is a required.

The problem can be resolved only if the VPN terminating device on the outside is capable of NAT Transparent mode. The Cisco VPN Concentrator is capable of this function. The NAT transparent mode in the VPN 3000 Client solves this problem by encapsulating ESP within UDP and sending it to a negotiated port. Enable this feature on the VPN client (IPSEC through NAT located in the connection properties) and to activate on the VPN 3000 Concentrator select IPSec through NAT.

Use the following procedure to configure NAT transparent mode on the VPN Concentrator .

On the VPN Concentrator, go to Configuration > User Management > Groups.

To add a group, select Add. To modify an existing group, select it and click Modify.

Click the IPSec tab, check IPSec through NAT and configure the IPSec through NAT UDP Port. The default port for IPSec through NAT is 10000 (source and destination), but this setting may be changed.

I hope this helps. If you have any problems e-mail me.


Community Member

Re: VPN Client Accessing a Cisco VPN Box Through a *nix Firewall

Thanks, all for the help. I'll give those suggestions a try.

Rich Lohman

CreatePlease to create content