[ previous ] [ next ] [ threads ]
 
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] MonoWall and PIX
 Date:  Thu, 20 Apr 2006 01:02:02 +0200
Alex

you need the standard IPsec ports (UDP-500 and ESP) and UDP-4500
For details on how NAT-T works look at:

RFC 3715 (IPsec-Network Address Translation (NAT) Compatibility Requirements)
http://www.ietf.org/rfc/rfc3715.txt

RFC 3947 (Negotiation of NAT-Traversal in the IKE)
http://www.ietf.org/rfc/rfc3947.txt

RFC 3948 (UDP Encapsulation of IPsec ESP Packets)
http://www.ietf.org/rfc/rfc3948.txt


Hope this helps...


Daniele


Alex Randjelovic wrote:
> Thank you for your reply. 
> Is UDP 4500 inbound the only port that needs to be open? How about
> protocol 50 and 51, and UDP 500?
> 
> Alex
> 
> -----Original Message-----
> From: Daniele Guazzoni [mailto:daniele dot guazzoni at gcomm dot ch] 
> Sent: Tuesday, April 18, 2006 6:28 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] MonoWall and PIX
> 
> You can use NAT on the m0n0wall but you will need to configure NAT-T on
> the PIX.
> If you want to run NAT-T you need to allow UDP-4500 through the
> m0n0wall.
> This would work.
> 
> The Cisco alternative would be the VPN-Concentrator (3000 series) which
> allows 
> IPsec over TCP (default is TCP-10000) and is not affected by NAT.
> 
> Daniele
> 
> Alex Randjelovic wrote:
> 
>>Thank you for your reply.
>>I don't think PIX will support PPTP. Also, if upstream monowall
> 
> provides
> 
>>NAT, will IPSec be able to go through NAT and terminate to downstream
>>PIX?
>>One more question. If I configure OPT interface on upstream monowall
> 
> to
> 
>>be in bridge mode with WAN interface, would I need one public IP
> 
> address
> 
>>for monowall WAN interface, and one for PIX?
>>
>>Alex
>>
>>-----Original Message-----
>>From: Lee Sharp [mailto:leesharp at hal dash pc dot org] 
>>Sent: Monday, April 17, 2006 1:30 AM
>>To: m0n0wall at lists dot m0n0 dot ch
>>Subject: Re: [m0n0wall] MonoWall and PIX
>>
>>From: "Alex Randjelovic" <alexr at atnetplus dot com>
>>
>>>I have interesting challenge. Our company has cable Internet line with
>>>single static IP address. I need to setup monowall connected to the
>>>cable line, and after monowall PIX 501 that will terminate VPN
>>>connections and provide Internet access for LAN users. Between
>>
>>monowall
>>
>>
>>>and PIX there will be DMZ, providing wireless clients with Internet
>>>access (via wireless AP). Unfortunately, company requirement is to
>>>terminate VPN connections on the PIX, not monowall.
>>
>>
>>>To be able to setup PIX as VPN device, I have to pass all traffic from
>>>monowall to PIX. I don't think bridge mode would work, because there
>>
>>is
>>
>>
>>>only 1 public IP address.
>>
>>
>>Under VPN -> PPTP, check "Redirect incoming PPTP connections to:" and
> 
> it
> 
>>works.  Unless you are under IPsec, and I haven't tried that one.
>>
>>                        Lee 
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
> 
> 

-- 



	best regards

------------------------------------------------------------------
Daniele Guazzoni
Senior Network Engineer, CCNA, CCNP

Ackersteinstrasse 203
CH-8049 Zurich
------------------------------------------------------------------
"Destiny is not a matter of chance, it is a matter of choice;
it is not a thing to be waited for, it is a thing to be achieved."
					William Jennings Bryan

GPG Fingerprint: 46EF FB0A A405 659F FB63 860B 6059 7A22 F58E 830E


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.