Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Pass-Thru

Status
Not open for further replies.
pcfreakx

pcfreakx

MIS
Oct 28, 2002
2
0
0
US
Guys I have a Netscreen 5xp and I like to think I know what I am doing with it (but you can be the judge of that). I have 3 boxes NAT'd behind the NS. One does mail, one web and one I use for VPN to my corporate LAN. I have VIPs for the web and mail but for the life of me I can't figure out how to pass VPN through for the 3rd. NS support says I must use MIPs but then I can't host my web or mail like I currently am (I only have one public IP). I set up a rule/VIP to forward Protocols 50 and 51 and UDP 500 like I am supposed to but it won't go. Linksys and other cheaper vendors make a simple button that opens the rule, but NS support says a VIP only supports 16 ports and not the whole range (0-65535) that I need for 2 protocols (ESP and AH). What in the heck can I do? Get another public and MIP it? Put a hub upstream of the 5xp and hang off that? Thanks, . . .

Nick, CISSP
 
Sort by date Sort by votes
Tragically, you need more public addresses. IPSec and PPTP do work just fine through the 5xp but not with VIP running and taking over the available IP.
 
Upvote 0 Downvote
I know its been a while since you posted this question, sorry I havent checked this forum for a while. If the question is still relevant. Assuming that you also have a Netscreen box at the other end, it is fairly straight forward (he says!). Create a Manual Key VPN definition at siteA & siteB that have a gateway address of the remote site untrusted IP address. Define an address for the remote site from each end with the internal IP range assigned to it (eg. siteA has an untrusted address as SITEB 10.0.0.0/255.0.0.0). Then create a policy that says traffic going from InsideAny to SiteB is to tunnel using the VPN you created earlier.

Any traffic destined for the internal network at the remote site will go via VPN. All other traffic such as web browsing will go out to the internet as normal.

Does that give you what you want?.
 
Upvote 0 Downvote
Thanks for the advice. I should have been more clear. Actually we are using a software VPN product (ATT's Globalnet) that goes to an ISP's "cloud". Since it is a 3rd party, I have no real way of making a simple IPSEC compliant tunnel between 2 routing devices. It passes through fine as long as I forward EVERYTHING through the NS to my one internal IP. But when I use VIPs instead of MIPs to send different ports to different boxes, I can't get it to go at all. It breaks during key exchange. I have forwarded Protocols 50 and 51 (ESP and AH) and UDP 500 according to IPSEC standard. Any other ideas? It sux that my friends have cheap $100 devices that support it and mine won't do it!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
150
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
73
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
175
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
42
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top