Date: Sun, 22 Dec 2002 18:36:46 -0600 From: Tom ONeil <tom.oneil@tacni.com> To: Free <freebsd-isp@freebsd.org> Subject: ipnat Cisco VPN problem Message-ID: <3E065A9E.2050301@tacni.com>
next in thread | raw e-mail | index | archive | help
Greetings all and happy holidays; I have a 4.5-STABLE FreeBSD box using ipfilter and ipnat as a firewall/NAT box. It only allows one Cisco VPN client at a time to connect unless external IP's are mapped one-to-one. It will attempt to make the port 500 connection but does not seem to be assigning/allowing variable port after the first one connects using port 10000. I suspect this is because of the ipnat rule map fxp0 192.168.1.0/24 -> xxx.xxx.xxx.xxx/32 that is sending all the traffic through one IP. I opened up the rules completely to eliminate that as a possibility. I confess much of this I am regurgitating from the Cisco docs, but (of course) the firewall guy is on vacation........ Using trafshow I can see the attempted connections on port 500. Directions, FAQ's, requests for more info, etc. all welcome. These are the VPN rulesets in place now; # Inbound pass in quick on fxp0 proto tcp from any to any port = 1723 flags S keep state pass out quick on fxp0 proto tcp from any to any port = 1723 flags S keep state pass in quick on fxp0 proto 47 from any to any pass out quick on fxp0 proto 47 from any to any pass in quick on fxp0 proto 50 from any to any pass out quick on fxp0 proto 50 from any to any pass in quick on fxp0 proto 51 from any to any pass out quick on fxp0 proto 51 from any to any pass in quick on fxp0 proto udp from any port = 500 to any port = 500 pass out quick on fxp0 proto udp from any port = 500 to any port = 500 ## Outgoing VPN Rules pass in quick on fxp1 proto tcp from any to any port = 1723 flags S keep state pass out quick on fxp1 proto tcp from any to any port = 1723 flags S keep state pass in quick on fxp1 proto 47 from any to any pass out quick on fxp1 proto 47 from any to any pass in quick on fxp1 proto esp from any to any pass out quick on fxp1 proto esp from any to any pass in quick on fxp1 proto ah from any to any pass out quick on fxp1 proto ah from any to any pass in quick on fxp1 proto ipencap from any to any pass out quick on fxp1 proto ipencap from any to any pass in quick on fxp1 proto udp from any port = 500 to any port = 500 pass out quick on fxp1 proto udp from any port = 500 to any port = 500 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E065A9E.2050301>