Connecting a VPN Client behind a firewall thru TCP port 443 to a PIX

Connecting a VPN Client behind a firewall thru TCP port 443 to a PIX

Post by Edgar Raa » Tue, 29 Jul 2003 21:56:53



Hi,

The VPN client connects into the Pix when I "Enable Transparent Tunneling
IPsec over UDP)" but fails when using "Use IPSec over TCP Port 443 or
10000".

Is TCP tunneling only available against an VPN 300x concentrator or does the
PIX in V6.3.(1) support this thru the isakmp nat-traversal command ?

best regards
edgar

 
 
 

Connecting a VPN Client behind a firewall thru TCP port 443 to a PIX

Post by Jyri Korhone » Tue, 29 Jul 2003 22:13:49



> The VPN client connects into the Pix when I "Enable Transparent
> Tunneling IPsec over UDP)" but fails when using "Use IPSec over
> TCP Port 443 or 10000".

> Is TCP tunneling only available against an VPN 300x concentrator
> or does the PIX in V6.3.(1) support this thru the isakmp nat-traversal
> command ?

I'm sorry, but even the latest Pix OS 6.3(2) supports only UDP
tunneling with fixed port 4500 so you can't change the port.
TCP tunneling is available only with a Cisco VPN Concentrator.

 
 
 

Connecting a VPN Client behind a firewall thru TCP port 443 to a PIX

Post by Jason Ka » Wed, 30 Jul 2003 14:35:09




>> The VPN client connects into the Pix when I "Enable Transparent
>> Tunneling IPsec over UDP)" but fails when using "Use IPSec over
>> TCP Port 443 or 10000".

>> Is TCP tunneling only available against an VPN 300x concentrator
>> or does the PIX in V6.3.(1) support this thru the isakmp nat-traversal
>> command ?
> I'm sorry, but even the latest Pix OS 6.3(2) supports only UDP
> tunneling with fixed port 4500 so you can't change the port.
> TCP tunneling is available only with a Cisco VPN Concentrator.

And to be more precise, IPSec over UDP on port 4500 is only available
when making VPN connections to the PIX when the VPN client is NAT'ed.
Why?  Because the PIX only implements IETF NAT-Traversal which detects
the presense of NAT by sending NAT Discovery packets with hashes of the
source and destination IP address(es) and ports.  Thus, if you make a
VPN connection to a PIX and the VPN client isn't NAT'ed, you won't get
IPSec over UDP on port 4500 (unless the PIX itself is NAT'ed, but that
is a strange case).

In the VPN Concentrator, IPSec over UDP (default is on port 10000 but
it can be changed), NAT-Traversal, and IPSec over TCP (can specify the
port) are independent options.  Thus, if you enable both IPSec over UDP
(on default port of 10000) and NAT-Traversal in the VPN Concentrator,
non-NAT'ed remote clients will do IPSec over UDP on port 10000 and
NAT'ed clients VPN clients will do IPSec over UDP on port 4500.

--
Jason Kau
http://www.cnd.gatech.edu/~jkau

 
 
 

Connecting a VPN Client behind a firewall thru TCP port 443 to a PIX

Post by xx » Wed, 30 Jul 2003 19:08:40


Jason,

the PIX supports "isakmp nat-traversal" starting with V6.3(1). What exactly
is it doing ( Cisco doc isn't clear on it, atleast 4 me).

Turning it off allows me to connect into the pix (UDP wise, not TCP).
Turning it on will disable udp connections and TCP port 10000 will cause the
pix to report to the syslog that it denied connections to its outside
interface.

best regards
edgar

 
 
 

Connecting a VPN Client behind a firewall thru TCP port 443 to a PIX

Post by Jason Ka » Thu, 31 Jul 2003 09:41:15



> the PIX supports "isakmp nat-traversal" starting with V6.3(1). What exactly
> is it doing ( Cisco doc isn't clear on it, atleast 4 me).

It turns on IETF NAT-Traversal which uses IPSec over UDP on port 4500.

Quote:> Turning it off allows me to connect into the pix (UDP wise, not TCP)

If you turn it off, you're NOT doing IPSec over UDP, you're doing straight
IPSec (ESP).  Are you saying you disable it and the Cisco VPN client
reports "Transparent Tunneling: Active on UDP port XXXXX"?

Quote:> Turning it on will disable udp connections and TCP port 10000 will cause the
> pix to report to the syslog that it denied connections to its outside
> interface.

The PIX doesn't do IPsec over TCP at all.  Turning it on should allow
IPSec over UDP on port 4500--the VPN client should report "Transparent
Tunenling: Active on UDP port 4500".

--
Jason Kau
http://www.cnd.gatech.edu/~jkau

 
 
 

1. VPN client 3000 with PIX Firewall - access to ports TCP

Hello,
I have PIX Firewall 515 with version 6.0(1) and client Cisco VPN 3000.
below it's a little configuration for PIX Firewall.
unfortunetally command : access-list 100 permit tcp host x.y.z.w eq www
10.10.10.0 255.255.255.0
doesn't work. but I'd like to do access only to port 80 for host x.y.z.w
Is it possible to do access only to port 80 ?
Clients VPN 3000 connect to PIX Firewall by ipsec !!!!

access-list 100 permit udp host x.y.z.w 10.10.10.0 255.255.255.0
access-list 100 permit icmp host x.y.z.w  10.10.10.0 255.255.255.0
access-list 100 permit tcp host x.y.z.w eq www 10.10.10.0 255.255.255.0
ip local pool test5 10.10.10.0-10.10.10.254
vpngroup aaaa address-pool test5
vpngroup aaaa split-tunnel 100
vpngroup aaaa idle-time 1800
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1

2. HELP!!!!!! CD-ROM UNKNOWN!!!!!1

3. Opening tcp port 443, on a Cisco 515e

4. Delta time between two date's

5. Cisco VPN Client behind PIX Firewall

6. Driveway sensor: Do I need mfg controller to hook up to home automation system?

7. Connect to VPN with a software client behind a firewall, dynamic IP and Dialup?

8. Attempted Access

9. VPN Client connected to Pix A cannot access network connected to Pix B

10. Connecting to Pix vpn from behind pix

11. Reason 412: VPN Client Cant Connect to PIX Firewall

12. PIX VPN Client + Server behind a PIX, How do I (you) do that ?

13. Pix VPN client behind a Pix won't work?