-
August 24th, 2004, 12:20 PM
#1
Senior Member
VPN through FW...
Hi everybody, i've an VPN Client service that I use to connect to my office. To connect I install the cisco software VPN client with minimal config that is the host ip and the name and password of the group. It works fine from ADSL or dialup connection to a internet.
Now i'm trying to do the same from another corporate network. This network connect to internet through a Nokia box. First i opened 500UDP and 50TCP from the workstation to the VPN host and it didn't work. Finally I opened all the traffic from ws to VPN and from VPN to WS but still doesn't work... I did a tcpdump in the nokia box but it only showed 500 UDP. Any idea?
-
August 24th, 2004, 01:03 PM
#2
some VPNs wont accept "NAT" connections, i mean, you cant establish a tunnel thru a firewall that is doing network address translation. Contact VPN vendor and take a look if its possible or not.
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
August 24th, 2004, 01:44 PM
#3
Senior Member
I will do it... thank tou!
-
August 24th, 2004, 08:21 PM
#4
To add additional information in the same regard, when using dialup or ADSL, your IP is often from a POOL from your ISP and often no NAT is used.
But many corporate LANs use device default inside numbering like 192.168.1.0/24
If you are on a LAN with a private address from 192.168.1.0/24 using a NAT device and the
network you are trying to create a tunnel to is also using that numbering scheme, you may be able
to authenticate but could have problems routing as your VPN client may not want to route to an endpoint network it thinks it is already on based on source and destination addresses.
-
August 25th, 2004, 08:09 AM
#5
Senior Member
Yes, this can be the next problem... But now i'm not able to reach the remote host, so still no authentication or is going on...
-
August 25th, 2004, 10:34 AM
#6
VPN can be easily broken by a NAT translation. You could try to set it as a DMZ, you could test it also by directly connecting it to the internet for a moment. before the firewall, just to verify it properly works.
Try this damon maybe, they do say they support tunneling over nat. http://openvpn.sourceforge.net/
Maybe this helps
-
August 25th, 2004, 01:45 PM
#7
Derekk, there is some solutions that can establish vpn tunnels thru nat (and even proxy servers). CIsco/enterasys have one and i think Nokia (thru checkpoint) has too. Its a vpn thru http encapsulation, using SSL.
Its a good knowledge for you. Some exploits/worms use that tecnology too when creating backdoors.
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|