-
September 25th, 2003, 05:03 PM
#1
Junior Member
L2TP/IPSec through Firewall + NAT
Hi folks,
Does anyone know how to pass incoming VPN traffic (L2TP over IPSec) through a PIX (or any other) firewall to an MS ISA server on the inside? I can do PPTP, but I can't seem to put L2TP work. The client is a Win2K computer (DUN).
b.t.w. The Pix is NATting the traffic so the ISA server has a private IP address.
Any help is greatly appreciated.
-
September 25th, 2003, 06:43 PM
#2
Think you are going to have to setup a 1 to 1 NAT for your server so that it can be reached from the outside.
You are also going to have to put an incoming access-list on your outside interface to permit the protocol (protocol 50/udp 500 for IPSec, not sure about L2TP) (and anything else you want to come in), followed by a deny ip any any.
Hope that helps,
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
September 25th, 2003, 07:21 PM
#3
In other words, you want the traffic bound for true Internet destinations to be NATed, and you want the traffic destined to travel through the IPSec tunnel to be tunneled, not NATed. On Cisco equipment, this is accomplished using an access control list.
Found this via link beneath :
http://www.zdnet.com.au/newstech/sec...0262010,00.htm
Seems NAT breaks the VPN using L2TP.
This is an interesting topic indeed, had some issues to in the past on this topic. Finally we went back to PPTP and that worked :s, and still does.
The only thing i never tried is setting the box as a DMZ, but this is just a wild guess.
Greetz,
-
September 25th, 2003, 07:25 PM
#4
Originally posted here by .: Shrekkie :.
Found this via link beneath :
http://www.zdnet.com.au/newstech/sec...0262010,00.htm
Seems NAT breaks the VPN using L2TP.
This is an interesting topic indeed, had some issues to in the past on this topic. Finally we went back to PPTP and that worked :s, and still does.
The only thing i never tried is setting the box as a DMZ, but this is just a wild guess.
Greetz,
Like I said, never done L2TP, but we do do NAT while passing IPSEC with no issues, but you do have to 1 to 1 NAT the box.
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
September 25th, 2003, 08:05 PM
#5
-
September 25th, 2003, 09:52 PM
#6
gunit0072003 , I get a 404, you might wanna adjust the url
-
September 26th, 2003, 12:32 AM
#7
Junior Member
I am indeed able to use PPTP, but then, I don't get any encryption.
That part is very important for me.
I'm still researching this problem.
Thanks anyway for the suggestions.
-
September 26th, 2003, 01:32 AM
#8
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
September 26th, 2003, 04:57 AM
#9
Las I checked Cisco had a readme about how it's (or M$) implementation of this particular feature is broken or are incompatible. Sometimes there are no easy answers.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
October 14th, 2003, 04:48 PM
#10
Member
KorpDeath is almost right. lt2p will work only for Win 2k lt2p and pix software version 6.0 or higher. There is an example on cisco's site, but you have to have a CCO account. Here it is.
http://www.cisco.com/warp/customer/110/l2tp-ipsec.html
- Boyam
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|