Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Cisco VPN client behind a Netscreen

From: "Melson, Paul" <PMelson () sequoianet com>
Date: Thu, 6 Nov 2003 08:45:28 -0500
Aram,

You do not need to create an IPSec policy on the NetScreen for VPN clients that are passing through it.  (The same 
would be true if you had a VPN concentrator behind it and users were connecting inbound from the Internet.)

This problem most likely has to do with source port translation being performed by the NetScreen as part of its NAT 
rules for outbound traffic.  The PIX will likely complain if the source port of the VPN client connection isn't 500 or 
4500 as appropriate and prevent the tunnel from coming all the way up.  The best fix for this is to upgrade the PIX OS 
version to a current release and enable the 'isakmp nat-traversal' feature.  

However, since you don't have control over the PIX, another solution would be to configure a static NAT (NetScreen 
calls this MIP, or Mapped IP?) for just the VPN client workstation's IP address to an otherwise unused IP address on 
the firewall's outside subnet.  This should prevent the source port from being modified when making the connection.

Good luck!

PaulM

-----Original Message-----
I have recently implemented a Netscreen 50 and I have users behind it that use a Cisco VPN client to connect to a Cisco 
Pix which I have no control over. Their VPN client is not functioning properly. Currently I have a policy allowing 
outbound traffic any from all inside. Does anyone know if I also need to create an IPSEC policy for inbound traffic? 
Thanks, Aram Smith
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: