Results 1 to 10 of 10

Thread: L2TP/IPSec through Firewall + NAT

  1. #1
    Junior Member
    Join Date
    Aug 2003
    Posts
    4

    L2TP/IPSec through Firewall + NAT

    Hi folks,

    Does anyone know how to pass incoming VPN traffic (L2TP over IPSec) through a PIX (or any other) firewall to an MS ISA server on the inside? I can do PPTP, but I can't seem to put L2TP work. The client is a Win2K computer (DUN).

    b.t.w. The Pix is NATting the traffic so the ISA server has a private IP address.

    Any help is greatly appreciated.

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Think you are going to have to setup a 1 to 1 NAT for your server so that it can be reached from the outside.

    You are also going to have to put an incoming access-list on your outside interface to permit the protocol (protocol 50/udp 500 for IPSec, not sure about L2TP) (and anything else you want to come in), followed by a deny ip any any.

    Hope that helps,

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    In other words, you want the traffic bound for true Internet destinations to be NATed, and you want the traffic destined to travel through the IPSec tunnel to be tunneled, not NATed. On Cisco equipment, this is accomplished using an access control list.
    Found this via link beneath :
    http://www.zdnet.com.au/newstech/sec...0262010,00.htm

    Seems NAT breaks the VPN using L2TP.
    This is an interesting topic indeed, had some issues to in the past on this topic. Finally we went back to PPTP and that worked :s, and still does.

    The only thing i never tried is setting the box as a DMZ, but this is just a wild guess.

    Greetz,
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Originally posted here by .: Shrekkie :.


    Found this via link beneath :
    http://www.zdnet.com.au/newstech/sec...0262010,00.htm

    Seems NAT breaks the VPN using L2TP.
    This is an interesting topic indeed, had some issues to in the past on this topic. Finally we went back to PPTP and that worked :s, and still does.

    The only thing i never tried is setting the box as a DMZ, but this is just a wild guess.

    Greetz,
    Like I said, never done L2TP, but we do do NAT while passing IPSEC with no issues, but you do have to 1 to 1 NAT the box.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5

  6. #6
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    gunit0072003 , I get a 404, you might wanna adjust the url
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  7. #7
    Junior Member
    Join Date
    Aug 2003
    Posts
    4
    I am indeed able to use PPTP, but then, I don't get any encryption.
    That part is very important for me.
    I'm still researching this problem.
    Thanks anyway for the suggestions.

  8. #8
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Try looking into UDP encapsulation of IPsec traffic. Has ups and downs but may be worth investigating.
    -Maestr0

    http://www.vpnc.org/ietf-ipsec/01.ipsec/msg02243.html
    http://www.ietf.org/internet-drafts/...-encaps-06.txt
    http://www.ittc.ku.edu/~kpm/EECS801-Fall2001/
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  9. #9
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Las I checked Cisco had a readme about how it's (or M$) implementation of this particular feature is broken or are incompatible. Sometimes there are no easy answers.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  10. #10
    KorpDeath is almost right. lt2p will work only for Win 2k lt2p and pix software version 6.0 or higher. There is an example on cisco's site, but you have to have a CCO account. Here it is.

    http://www.cisco.com/warp/customer/110/l2tp-ipsec.html
    - Boyam


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •