Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
835
Views
0
Helpful
11
Replies

Difficulty getting VPN through PIX 506E firewall without NAT

mrechtfertig
Level 1
Level 1

‎11-03-2005 10:22 AM

I am trying to make a VPN connection from inside out firewall to an external VPN server. This goes through a PIX 506E that was not originally setup by me.

The connection finds the correct IP, but gets stuck at the validation and authentication of username and password stage of the connection.

This only happens if I do not have NAT setup for that IP. If I setup a static NAT the VPN connection works fine. I have tried opening up the ports, but what I have done does not seem to fix it.

Could someone please help me to get this to allow a VPN connection from anyone inside of the firewall?

I have attached the 'show config' from the PIX, removing ip addresses and server names for security purposes. All necessary information should be availible, otherwise I can provide it.

-Mark

Labels:
Preview file
5 KB
0 Helpful
11 Replies 11

aacole
Level 5
Level 5

‎11-03-2005 11:20 AM

Mark,

This is due to the way your VPN client handles the NAT process, you need to enable NAT-T support on your client and on the external VPN server.

What happens is that with static NAT the IPSec IKE and ESP packets are not affected by crossing the NAT boundary as the encapsulation will be using IPSec tunnel mode. The tunnel mode IP header is not modifed by this process.

But, when your PIX is configured to use NAT/PAT or NAT overload using the NAT and Global statements the NAT process changes the source port. The packet is received by the far end, its checked and found to have been tampered with along the way so its discarded.

The way around this is to enable NAT-T, this process detects the NAT/PAT boundary and encapsulates the whole lot in an additional UDP packet.

You need to check that both ends can support this and turn it on.

Andy

0 Helpful

mrechtfertig
Level 1
Level 1
In response to aacole

‎11-03-2005 12:27 PM

By VPN client do you mean the computer that it trying to make the connection or the firewall that it goes though?

Can you tell me how to check and enable this or direct me to an article that will show me?

Also, I have no control over the external VPN server. Is there a way to check without having the control?

-Mark

0 Helpful

jackko
Level 7
Level 7
In response to mrechtfertig

‎11-03-2005 02:40 PM

you mentioned "If I setup a static NAT the VPN connection works fine.", and this indicates the fact that the vpn server doesn't not support pat.

as you may already know, one way is to assign a static nat for your pc; another the other way is to configure the vpn server to support pat (i.e. nat traversal).

assuming it's a pix, add the command below:

isakmp nat-traversal

0 Helpful

mrechtfertig
Level 1
Level 1
In response to jackko

‎11-07-2005 05:33 PM

When I entered the line it did not apply the command. It gave a usage list that did not even include 'nat' in it. I am still new to configuring these, any help is appreciated.

I added the line and I received the following message:

Result of PIX command: "isakmp nat-traversal "

usage: isakmp policy authen

isakmp policy encrypt

isakmp policy hash

isakmp policy group <1|2>

isakmp policy lifetime

isakmp key address [netmask ] [no-xauth] [no-config-mode]

isakmp enable

isakmp identity

isakmp keepalive []

isakmp client configuration address-pool local []

isakmp peer fqdn|ip [no-xauth] [no-config-mode]

0 Helpful

aacole
Level 5
Level 5
In response to mrechtfertig

‎11-08-2005 03:36 AM

The NAT-T command is not supported in PIX 6.1, it was introduced in (I think) 6.3.

But, this PIX is not your VPN server or client device is it? In which case you have no need to apply the command here anyway.

0 Helpful

aacole
Level 5
Level 5
In response to mrechtfertig

‎11-07-2005 01:05 AM

That's correct, the VPN Client is the software application.

But, just thinking about this, am I correct in understanding that the computer that is trying to make the connection is running the VPN client software? I expect this to be the case due to your explanation of how you got it working using the different NAT commands on your firewall.

If your using the Cisco VPN client the NAT options are set on the Transport tab, found by clicking on the Modify tab on the client dialogue box.

As for the external VPN server you would have to ask the server administrator.

0 Helpful

mrechtfertig
Level 1
Level 1
In response to aacole

‎11-07-2005 10:42 AM

I am using the VPN connection software that comes with Win XP Pro to try to make the connection from the computer inside the firewall (though the internet connections wizard). We do not have a separate VPN client.

Is the previous command that was suggested still applicible?

Mark

0 Helpful

aacole
Level 5
Level 5
In response to mrechtfertig

‎11-07-2005 11:34 AM

Mark,

XP pro prior to SP2 didnt support NAT-T, the feature was introduced in that release.

More information here:

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B818043

The NAT-T support has to be enabled on both the client and the VPN server, so that it passes over firewalls encountered along the path.

If the terminating firewall was a PIX then the command described by Jackko would enable the NAT-T feature and allow the firewall to recognise the NAT-T packets.

NAT-T allows detection of a NAT boundary somewhere along the path, if there is no NAT boundary then although the feature is available its not used.

So you need to check if the VPN server has this feature enabled.

Andy

0 Helpful

mrechtfertig
Level 1
Level 1
In response to aacole

‎11-08-2005 02:48 PM

I have sent an inquiry to the owner of the VPN server. Until I receive a response from them I wanted to be certain that I have this correct

<>

In that diagram, the VPN connection is going from the box labeled Win XP SP2 to VPN Server. If I understand correctly the box labeled firewall? needs to have the NAT-T enabled, but the default config on the XP SP2 box is ok. Does anything need to be done to the box labeled PIX?

Is that correct?

Mark

0 Helpful

mrechtfertig
Level 1
Level 1
In response to mrechtfertig

‎11-08-2005 04:54 PM

Here is the attachment that goes with the previous post. I have copied the post here for ease of use.

-------------------------------------------------

I have sent an inquiry to the owner of the VPN server. Until I receive a response from them I wanted to be certain that I have this correct

<>

In that diagram, the VPN connection is going from the box labeled Win XP SP2 to VPN Server. If I understand correctly the box labeled firewall? needs to have the NAT-T enabled, but the default config on the XP SP2 box is ok. Does anything need to be done to the box labeled PIX?

Is that correct?

Mark

--------------------------------------------------

Preview file
10 KB
0 Helpful

jackko
Level 7
Level 7
In response to mrechtfertig

‎11-08-2005 05:40 PM

the feature "nat-t" should be configured directly on the vpn server.

with both firewalls, inbound acl maybe required in permitting the followings:

udp 500

udp 4500

ip 50

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents