[c-nsp] Cisco VPN Concentrator

Peder at NetworkOblivion peder at networkoblivion.com
Thu Nov 10 14:51:40 EST 2005 

Tcp nat traversal will not work if you just use the private interface. 
You need to have traffic enter the public and go through the box to the 
private if you want to use tcp nat traversal.  I spent about 4 hours one 
day trying to figure out why it wouldn't work and then I found a release 
note that said it no workee that way.

kevin gannon wrote:
> For NAT traversal what port is the client setup to use. For the
> cisco client you must manually turn it on. For the older code
> the port was TCP 10000 or 10001 can remember for sure. To
> turn it on under the client. Its under the transport tab of the
> clients configurtion. You also have the option for UDP traversal
> in newer clients.
> 
> Regards
> Kevin
> 
> On 11/10/05, Bob Fronk <bfronk at davishelliot.com> wrote:
> 
>>I have those ports open to the Concentrator.
>>
>>I have also enable nat-t on the client and concentrator and still get
>>the same errors.
>>
>>I think I will just hang the concentrator off a public IP on the edge
>>router and be done with it.
>>
>>Bob Fronk, MCSE
>>bfronk at davishelliot.com
>>
>>
>>
>>
>>-----Original Message-----
>>From: Stevens, Brant I. [mailto:brant.stevens at hcmny.com]
>>Sent: Thursday, November 10, 2005 10:53 AM
>>To: kevin gannon; Bob Fronk
>>Cc: cisco-nsp at puck.nether.net
>>Subject: RE: [c-nsp] Cisco VPN Concentrator
>>
>>I believe to use NAT Traversal, you will need to open UDP port 500 to
>>the concentrator as well.  IIRC, doesn't the Cisco client also use port
>>4500?
>>
>>-----Original Message-----
>>From: cisco-nsp-bounces at puck.nether.net
>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kevin gannon
>>Sent: Thursday, November 10, 2005 10:24 AM
>>To: Bob Fronk
>>Cc: cisco-nsp at puck.nether.net
>>Subject: Re: [c-nsp] Cisco VPN Concentrator
>>
>>Dont have a box in front of me but if you are using clients that support
>>it I would advise using NAT Traversal:
>>
>>http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/config/t
>>unnel.htm#wp1029463
>>
>>Regards
>>Kevin
>>
>>On 11/10/05, Bob Fronk <bfronk at davishelliot.com> wrote:
>>
>>>How might I do that?
>>>
>>>Bob Fronk, MCSE
>>>bfronk at davishelliot.com
>>>
>>>
>>>
>>>
>>>-----Original Message-----
>>>From: cisco-nsp-bounces at puck.nether.net
>>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M.
>>>Streiner
>>>Sent: Thursday, November 10, 2005 10:09 AM
>>>To: cisco-nsp at puck.nether.net
>>>Subject: Re: [c-nsp] Cisco VPN Concentrator
>>>
>>>On Thu, 10 Nov 2005, Bob Fronk wrote:
>>>
>>>
>>>>Cisco VPN 3000 Concentrator.  If you are familiar with this product,
>>>
>>>you
>>>
>>>>know that it has two interfaces, one private and one public.  I do
>>>>not wish to give this device a public internet address.  I want to
>>>>place
>>>
>>>it
>>>
>>>>behind my PIX.
>>>
>>>If I read your message correctly, you will run into problems because
>>>IPSEC does not like being NAT'd.  Anything that scribbles on the
>>>headers of an
>>>
>>>IP packet (like NAT) will be problematic with IPSEC since the packet
>>>checksum would change.  You can try to work around this using NAT
>>>Transparency.
>>>
>>>jms
>>>_______________________________________________
>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>_______________________________________________
>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>>This e-mail message is intended only for the named recipient(s) above.
>>It may contain confidential information. If you are not the intended
>>recipient you are hereby notified that any dissemination, distribution
>>or copying of this e-mail and any attachment(s) is strictly prohibited.
>>If you have received this e-mail in error, please immediately notify the
>>sender by replying to this e-mail and delete the message and any
>>attachment(s) from your system. Thank you.
>>
>>
>>--
>>This message has been scanned for viruses and
>>dangerous content by MailScanner, and is
>>believed to be clean.
>>
>>
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

-- 

Network stuff you didn't know....
http://www.networkoblivion.com

More information about the cisco-nsp mailing list