Hi, We've got a remote office with a Cisco firewall. Our office uses a RH9 box as a firewall/router. The cisco firewall only allows one connection per IP. We've jusdt got a new member of staff who needs to use the VPN. Can anyone tell me if theres a way to use the RH9 box to tunnel through to the VPN?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
VPN tunneling question
- Thread starter ianicr
- Start date
- Thread starter
- #3
No, you cannot use openvpn for your cisco based solution
afaik.
Well it seems you have a problem.
Without knowing your configuration I can't say for certain,
whether a pool of suitable addresses actually exists but
the snat chain in the nat table is the best way to deal
with your issue if addresses are available.
afaik.
Well it seems you have a problem.
Without knowing your configuration I can't say for certain,
whether a pool of suitable addresses actually exists but
the snat chain in the nat table is the best way to deal
with your issue if addresses are available.
Code:
SNAT
This target is only valid in the nat table, in the
POSTROUTING chain. It specifies that the source address
of the packet should be modified (and all future packets
in this connection will also be mangled), and rules should
cease being examined. It takes one option:
--to-source <ipaddr>[-<ipaddr>][:port-port]
which can specify a single new source IP address,
an inclusive range of IP addresses, and optionally,
a port range (which is only valid if the rule also
specifies -p tcp or -p udp). If no port range is
specified, then source ports below 512 will be
mapped to other ports below 512: those between 512
and 1023 inclusive will be mapped to ports below
1024, and other ports will be mapped to 1024 or
above. Where possible, no port alteration will
occur.- Thread starter
- #5
- Thread starter
- #7
The pooling syntax is pretty simple.
Code:
iptables -t nat -A POSTROUTING -s $localnet -o eth0 -j SNAT --to 10.21.3.1-10.21.3.128- Thread starter
- #9
So that would map whatever is in $localbet to the range 10.21.3.1 yes? So if i run:
iptables -t nat - A POSTROUTING -s 192.168.2.81 -p udp -j SNAT --to 82.100.100.100
that will make everything from 192.168.2.81 look like its come from 82.100.100.100? obviously with a correct spare external IP address...
iptables -t nat - A POSTROUTING -s 192.168.2.81 -p udp -j SNAT --to 82.100.100.100
that will make everything from 192.168.2.81 look like its come from 82.100.100.100? obviously with a correct spare external IP address...
ericbrunson
Technical User
Out of curiosity, why won't OpenVPN talk to Cisco? Is one of them not using IPSec standards?
Right. Openvpn uses an ssl wrapped ip tunnel.
Details:
Details:
ianicr-
The rule you wrote would nat udp traffic only.
The external ip address here is the fun part.
Read this. You have some options:
The rule you wrote would nat udp traffic only.
The external ip address here is the fun part.
Read this. You have some options:
- Thread starter
- #13
According to the guys that run the cisco firewall I only need UDP. So I've got my machine at 192.168.2.81. Should the rule above make all UDP traffice from 192.168.2.81 come from 82.100.100.100? because I've tried it and when the connection to the VPN is made it still says its coming from my original IP...
Okay.
I've just tested this situation and it works flawlessly.
Configuration:
Now I add this rule:
Now since I have no legitimate routes, none of this
traffic can be empirically proven by conventional connectivity tests. However,tcpdump is my buddy.
and tcpdump says:
Pretty cool. Run tcpdump against the src address you are
hoping to snat and see what's going on.
I've just tested this situation and it works flawlessly.
Configuration:
Code:
eth0:2 Link encap:Ethernet HWaddr foobar
inet addr:123.21.3.4 Bcast:123.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:3
eth0:3 Link encap:Ethernet HWaddr foobar
inet addr:12.21.3.4 Bcast:12.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:3Now I add this rule:
Code:
iptables -t nat -A POSTROUTING -s 12.21.3.4 -j SNAT --to 123.21.3.4Now since I have no legitimate routes, none of this
traffic can be empirically proven by conventional connectivity tests. However,tcpdump is my buddy.
Code:
ping -I 12.21.3.4 [URL unfurl="true"]www.yahoo.com[/URL]
PING [URL unfurl="true"]www.yahoo.akadns.net[/URL] (216.109.118.75) from 12.21.3.4 : 56(84) bytes of dataand tcpdump says:
Code:
2:25:38.431845 IP 123.21.3.4 > p7.[URL unfurl="true"]www.dcn.yahoo.com:[/URL] icmp 64: echo request seq 1
12:25:39.441754 IP 123.21.3.4 > p7.[URL unfurl="true"]www.dcn.yahoo.com:[/URL] icmp 64: echo request seq 2
12:25:40.441613 IP 123.21.3.4 > p7.[URL unfurl="true"]www.dcn.yahoo.com:[/URL] icmp 64: echo request seq 3
12:25:41.441461 IP 123.21.3.4 > p7.[URL unfurl="true"]www.dcn.yahoo.com:[/URL] icmp 64: echo request seq 4
12:25:42.441307 IP 123.21.3.4 > p7.[URL unfurl="true"]www.dcn.yahoo.com:[/URL] icmp 64: echo request seq 5Pretty cool. Run tcpdump against the src address you are
hoping to snat and see what's going on.
- Status
Similar threads
- Locked
- Question