Date: Wed, 17 Feb 2010 17:55:02 -0800 (PST) From: Bill Tillman <btillman99@yahoo.com> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD to Cisco ASA 5505 VPN Connection Message-ID: <233562.18986.qm@web36503.mail.mud.yahoo.com> In-Reply-To: <F94B1CD5-AF3B-489C-9478-39472E0BCFD0@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--- On Wed, 2/17/10, Chuck Swiger <cswiger@mac.com> wrote: From: Chuck Swiger <cswiger@mac.com> Subject: Re: FreeBSD to Cisco ASA 5505 VPN Connection To: "Bill Tillman" <btillman99@yahoo.com> Cc: freebsd-questions@freebsd.org Date: Wednesday, February 17, 2010, 5:17 PM Hi-- On Feb 17, 2010, at 3:06 PM, Bill Tillman wrote: > The tech told me that I need to forward ports 500 and 4500 with my FreeBS= D router to the small VPN router inside my LAN. That's simple enought but t= hen he tells me I need to redirect all EPS and all AH traffic as well. I gu= ess this is where FreeBSD+NATD+IPFW hits the wall when working with Cisco o= r is it? I gotta believe this can work but I don't know how the heck to do = it and the tech at our IT consultant is totally lost when it comes to anyth= ing besides Cisco equipment. > Has anyone got a suggestion on how to do a port redirect with natd to pic= kup these EPS and AH packets. I added some new lines to my /etc/natd.conf f= ile and the AH part seemed ok but the console screen immediately said what = the heck is EPS. And worse it did not work. Only when I put the VPN router = outside of my existing router does this setup work. I really want to keep t= his thing inside my LAN or even better would be how do I get my existing ro= uter to work as a VPN on it's own? When I was dealing with the Cisco VPN client, I was doing so with IPFW+natd= and you need 500/udp, 4500/udp, 62515/udp, 1723/tcp, 10000/tcp, and the GR= E protocol.=A0 In my case, /etc/natd.conf contained: punch_fw 10000:100 redirect_proto gre 10.1.1.247 redirect_port udp 10.1.1.247:500 500 redirect_port udp 10.1.1.247:4500 4500 redirect_port udp 10.1.1.247:62515 62515 redirect_port tcp 10.1.1.247:10000 10000 redirect_port tcp 10.1.1.247:pptp pptp ...to send the traffic to a VPN endpoint located at IP 10.1.1.247. Regards, --=20 -Chuck Thanks for everyone's valuable input on this. I'm still new to all this pro= tocol and port forwarding topics. =A0 As I see it, in the /etc/protocols file they list esp, ah and gre =A0 so I would need all of this in my /etc/natd.conf like this: =A0 punch_fw 10000:100 redirect_proto gre 10.0.0.252 redirect_proto esp 10.0.0.252 redirect_proto ah 10.0.0.252 redirect_port udp 10.0.0.252:500 500 redirect_port udp 10.0.0.252:4500 4500 redirect_port udp 10.0.0.252:62515 62515 redirect_port tcp 10.0.0.252:10000 10000 redirect_port tcp 10.0.0.252:pptp pptp =A0 =A0 The VPN router inside my LAN is 10.0.0.252. Then I added these rules to my = ipfw rule set: =A0 ipfw add allow udp from any to any 500 ipfw add allow udp from any to any 4500 ipfw add allow udp from any to any 62515 ipfw add allow tcp from any to any 10000 ipfw add allow tcp from any to any 1723 The VPN router makes the connection to the other Cisco router but the phone= still does not work. I turned the firewall in my VPN router off but still = no go. This only works when I place the VPN router upstream of my router so= it's got to be something in my FreeBSD router which is not letting the tra= ffic through. I've been checking my /var/log/security file but don't see an= ything being blocked that's related to this.=0A=0A=0A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?233562.18986.qm>