[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: RE: [Sidewinder] Cisco VPN clients and passing traffic
From: sidewinder () adeptech ! com
Date: 2004-07-02 1:34:57
Message-ID: 200407021956.i62Jusq13951 () aag ! adeptech ! com
[Download RAW message or body]
I have a Nortelīs Contivity Client (4.61) in a WinXP machine (behind
a Sidewinder 5.2.09) connect to a remote Contivity, I think that the
setup is similar:
1.- Configure the VPN concentrator for NAT-T support and the
UDP port for NAT Traversal (in my case is UDP 10001).
2.- Create two UDP IP filter rules:
Internal IP (burb internal)--> External IP (burb external) -->UNI--
-->Source Begin UDP Port (0) ----> Dest UDP Port (500) ---> Address
Rewrite NAT (local)
Internal IP (burb internal)--> External IP (burb external) -->UNI--
-->Source Begin UDP Port (0) ----> Dest UDP Port (10001) ---> Address
Rewrite NAT (local)
3.- Try to connect
Good luck!!
-----Mensaje original-----
De: sidewinder@adeptech.com [mailto:sidewinder@adeptech.com]
Enviado el: Jueves, 01 de Julio de 2004 14:30
Para: sidewinder@adeptech.com
Asunto: RE: [Sidewinder] Cisco VPN clients and passing traffic
You need to first put the windows machine that you want to connect to
the VPN on a static IP. The only way to get the rules to work is to
specifically allow that IP. Then you have to make IP Filter Rules:
1. UDP port 500, Uni-directional source burb internal/static IP of
client, external burb IP address of VPN concentrator.
2. Make Sure that you use NAT and use the external IP address of your
firewall. NAT mode is normal.
3. Copy rules 1 and 2 and make it for port 10000 and another one for
4500 all UDP.
4. Then make a rule for port 10000 for TCP and make sure it is the same
setup as the UDP rules, internal, external burbs the same, NAT the same
and all UNI-directional.
One last thing. The source and destination BURB make sure you use the
same port on both. No ranges. Allow for one rule per port. You will
have a total of 3 ipfilter rules for each VPN user you have. It is a
bit much but that is what I had to do to get it to work.
But then again I am using 6.1.
-----Original Message-----
From: sidewinder-bounces@adeptech.com
[mailto:sidewinder-bounces@adeptech.com] On Behalf Of
sidewinder@adeptech.com
Sent: Thursday, July 01, 2004 11:44 AM
To: sidewinder@adeptech.com
Subject: [Sidewinder] Cisco VPN clients and passing traffic
OK, I give up.
I have a Cisco VPN client on a windows machine behind a Sidewinder
5.2.1.09, and need to get the client to connect to a VPN concentrator
out on the Internet.
I have gone through the list and there are a few posts regarding
generally passing IPSEC/IKE through a Sidewinder, but nothing really
specific. Most of it is of the form "Use ip filters to filter ESP" etc.
I realise that I need to do this (and possibly AH as well), and I know
that I may well need to use UDP 4500 and TCP/UCP 10000 for the NAT-T and
IPSEC over TCP as well, but
How many filters do I need; a single filter per port, or
incoming/outgoing? Do I need to set up the filters as uni or bi? Do the
filters need to be set up as NAT/REDIR/NONE? Will I need Translate rules
as well? Do I use an IKE proxy with redirect for the UDP 500 port, or
should I use UDP filters?
Both Sidewinder & the Cisco concentrator are on static IPs so I can tie
the link down to specific IP addresses.
Are there any documents out there which specify a set of instructions?
Or does any kind person out there have a working setup that I can crib
off?
Thanks.
Pete Dewell
--
Technical Support/Analyst
Volt Europe
Tel : (+44) (0) 1737 774100
Fax : (+44) (0) 1737 772949
Mobile : (+44) (0) 777 1513066
E-mail pete.dewell@volteurope.com
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic