cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
951
Views
0
Helpful
18
Replies

What is NAT-T, how do I forward ports?

m-jankowski
Level 1
Level 1

I'm having an issue with my VPN software connecting to a remote PIX. It had to go through my home PIX first.

I was told to use NAT-T and forward UDP 4500 but I don't know how to do either of these.

Can anyone help please? I've been trying to get this working for almost 2 weeks.

18 Replies 18

acomiskey
Level 10
Level 10

Add "isakmp nat-traversal" to pix. This will allow ipsec to function with pat. UDP 4500 is the port that ipsec over udp uses for udp encapsulation of esp packets.

Kamal Malhotra
Cisco Employee
Cisco Employee

Hi,

In the VPN client application, select the specific connection entry, modify it, goto transport tab and make sure 'Enable Transparent Tunneling' is checked and the 'IPSEC over UDP (NAT/PAT) is selected.

HTH,

Kamal

Great suggestions... I appreciate your responses however it still does not work.. unless I am missing something I think it would be better if I posted my config? Also maybe a step by step to configure it would help.

Yes, post your config, remove all sensitive information..passwords etc.

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname pixfirewall

domain-name ciscopix.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_access_in permit ip any any

pager lines 24

logging on

logging console informational

logging buffered informational

icmp deny any outside

mtu outside 1500

mtu inside 4000

ip address outside dhcp setroute retry 4

ip address inside 192.168.1.1 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.1.0 255.255.255.255 inside

pdm location 0.0.0.0 255.0.0.0 outside

pdm location 0.0.0.0 255.255.255.255 outside

pdm location 68.66.174.196 255.255.255.255 outside

pdm logging informational 200

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group inside_access_in in interface inside

rip inside passive version 2

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

isakmp enable outside

isakmp enable inside

isakmp identity address

isakmp nat-traversal 20

telnet timeout 5

ssh 192.168.1.0 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.199 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username password

encrypted privilege 15

terminal width 80

Cryptochecksum:

: end

[OK]

Hi,

Please try this :

access-list outside_in permit udp any any eq 500

access-list outside_in permit udp any any eq 4500

access-group outside_in in interface outside

You can replace the source 'any' with the remote peer's public IP address.

HTH,

Regards,

Kamal

Is there a command that i can use to send that to the PIX? I tried sending that and it didn't change anything in the access list.

Hi Marc,

These are three different commands :

access-list outside_in permit udp any any eq 500

access-list outside_in permit udp any any eq 4500

access-group outside_in in interface outside

Please login to the PIX using telnet or SSH and paste these commands. If you access using PDM then goto 'Tools' and 'Command Line Interface' and the paste one command at a time.

It should work.

Regards,

Kamal

It still wont let me browse the remote network. Just to clarify... I disconnected the PIX today and went right through the cable modem.. no firewall and everything worked.

I reset the PIX to factory defaults and reinputted those commands. Still wont let me browse the network or use remote desktop

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside_in permit udp any any eq isakmp

access-list outside_in permit udp any any eq 4500

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside_in in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

isakmp nat-traversal 20

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

: end

[OK]

I'm getting this error in my logs..

3 Feb 17 2007 02:30:24 305006: portmap tranlation cration failed for protocol 50 src inside: *My computer* dst outside: *Remote Site*

After a quick search I found that these three commands needed to be run:

fixup protocol esp-ike

access-list outside_access_in permit esp any any

access-group outside_access_in in interface outside

Apparently... the PIX was blocking protol 50 which is the ESP/encapsulating protocol for IPsec? Oh well either way it works. Thank you all for your help.. someone should write an article about this.

It should not be that way.

Going back to the original problem, what pix are we dealing with, local or remote?

You need to add "isakmp nat-traversal" to remote pix.

As it is now, you are not running nat-t and will not be able to establish more than 1 vpn session.

The problem has nothing to do with the remote PIX. The local PIX was blocking the VPN connections.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: