Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
how do i know my pix supports transparent tunneling 1
- Thread starter PoorNTGuy
- Start date
-
1
- #3
You need pix os at least ver 6.3.
here's my notes on transparent tunneling:
Cisco & IPSEC Transparency
By design, NAT & PAT will break the IPSEC encryption. Another issue is that multiple clients behind a firewall cannot run simultaneously because they will step on each others streams.
This is a common problem when users try to use hotel, wireless and apartment complexes with ISP connections and firewalls. There are workaround solutions available in some cases depending upon the equipment and software being deployed.
VPN 3000
The VPN3000 system has provided two workarounds to this problem.
a) In Unity Client version 3.0 – 3.2, an option called IPSEC over NAT using UDP was implemented. The default port used was upd/10000. While this option provided support for client behind a firewall perform NAT and PAT, it was not always reliable due to the nature of the UDP protocol and also depending how the firewall code has implemented NAT & PAT.
b) In Client version 3.3, a new feature was added to perform IPSEC over NAT using TCP. The default port was 10000. TCP is much more reliable than UDP and also it resolved the problem of running multiple simultaneous clients behind a firewall. (Preferrable method to use, much more reliable than UDP)
Configuring the VPN Client for IPSEC Transparency
Click on Options>Properties
check the box to enable Transparent Tunneling
check box for Use IPSEC over UDP OR use the TCP option which is more releiable when connecting to a VPN3000.
PIX & IPSEC over NAT/PAT
In PIX O/S 6.2 and earlier, has no direct support for IPSEC transparency with NAT/PAT.
In PIX O/S v6.3+, configure:
To enable NAT traversal, enter the following command:
isakmp nat-traversal [natkeepalive]
Valid values for natkeepalive are 10 to 3600 seconds; the default is 20 seconds.
Configure the vpn client to use IPSEC over UDP.
Click on Options>Properties
check the box to enable Transparent Tunneling
check box for Use IPSEC over UDP
As of PIX 6.3, IPSEC can be implemented over NAT/PAT just like on the VPN3000.
PIX refers to it as VPN NAT Traversal.
This feature extends support for site-to-site and remote access IPSec-based VPNs to network environments that implement Network Address Translation (NAT) or Port Address Translation (PAT), such as airports, hotels, wireless hot spots, and broadband environments
This feature is added to the isakmp nat-traversal command in PIX Firewall Version 6.3 software. To configure this command, refer to "Using NAT Traversal" in the Cisco PIX Firewall and VPN Configuration Guide. For a complete description of the command syntax for this new command, refer to the Cisco PIX Firewall Command Reference.
Using NAT Traversal
Network Address Translation (NAT) and Port Address Translation (PAT) are implemented in many networks where IPSec is also used, but the a number of incompatibilities that prevent IPSec packets from successfully traversing a NAT device.
PIX Firewall Version 6.3 provides a feature called "Nat Traversal," as described by Version 2 and Version 3 of the draft IETF standard, UDP Encapsulation of IPsec Packets," which is available at the following URL:
NAT Traversal allows ESP packets to pass through one or more NAT devices. This feature is disabled by default.
Note NAT Traversal is supported for both dynamic and static crypto maps.
To enable NAT traversal, enter the following command:
isakmp nat-traversal [natkeepalive]
Valid values for natkeepalive are 10 to 3600 seconds; the default is 20 seconds.
here's my notes on transparent tunneling:
Cisco & IPSEC Transparency
By design, NAT & PAT will break the IPSEC encryption. Another issue is that multiple clients behind a firewall cannot run simultaneously because they will step on each others streams.
This is a common problem when users try to use hotel, wireless and apartment complexes with ISP connections and firewalls. There are workaround solutions available in some cases depending upon the equipment and software being deployed.
VPN 3000
The VPN3000 system has provided two workarounds to this problem.
a) In Unity Client version 3.0 – 3.2, an option called IPSEC over NAT using UDP was implemented. The default port used was upd/10000. While this option provided support for client behind a firewall perform NAT and PAT, it was not always reliable due to the nature of the UDP protocol and also depending how the firewall code has implemented NAT & PAT.
b) In Client version 3.3, a new feature was added to perform IPSEC over NAT using TCP. The default port was 10000. TCP is much more reliable than UDP and also it resolved the problem of running multiple simultaneous clients behind a firewall. (Preferrable method to use, much more reliable than UDP)
Configuring the VPN Client for IPSEC Transparency
Click on Options>Properties
check the box to enable Transparent Tunneling
check box for Use IPSEC over UDP OR use the TCP option which is more releiable when connecting to a VPN3000.
PIX & IPSEC over NAT/PAT
In PIX O/S 6.2 and earlier, has no direct support for IPSEC transparency with NAT/PAT.
In PIX O/S v6.3+, configure:
To enable NAT traversal, enter the following command:
isakmp nat-traversal [natkeepalive]
Valid values for natkeepalive are 10 to 3600 seconds; the default is 20 seconds.
Configure the vpn client to use IPSEC over UDP.
Click on Options>Properties
check the box to enable Transparent Tunneling
check box for Use IPSEC over UDP
As of PIX 6.3, IPSEC can be implemented over NAT/PAT just like on the VPN3000.
PIX refers to it as VPN NAT Traversal.
This feature extends support for site-to-site and remote access IPSec-based VPNs to network environments that implement Network Address Translation (NAT) or Port Address Translation (PAT), such as airports, hotels, wireless hot spots, and broadband environments
This feature is added to the isakmp nat-traversal command in PIX Firewall Version 6.3 software. To configure this command, refer to "Using NAT Traversal" in the Cisco PIX Firewall and VPN Configuration Guide. For a complete description of the command syntax for this new command, refer to the Cisco PIX Firewall Command Reference.
Using NAT Traversal
Network Address Translation (NAT) and Port Address Translation (PAT) are implemented in many networks where IPSec is also used, but the a number of incompatibilities that prevent IPSec packets from successfully traversing a NAT device.
PIX Firewall Version 6.3 provides a feature called "Nat Traversal," as described by Version 2 and Version 3 of the draft IETF standard, UDP Encapsulation of IPsec Packets," which is available at the following URL:
NAT Traversal allows ESP packets to pass through one or more NAT devices. This feature is disabled by default.
Note NAT Traversal is supported for both dynamic and static crypto maps.
To enable NAT traversal, enter the following command:
isakmp nat-traversal [natkeepalive]
Valid values for natkeepalive are 10 to 3600 seconds; the default is 20 seconds.
- Thread starter
- #4
- Status
Similar threads
- Locked
- Question
- Locked
- Question