Sign in with
Sign up | Sign in
Your question

VPN issues when client AND server are behind NAT/Firewall

Last response: in Networking
Share
Anonymous
May 20, 2004 5:19:29 PM

Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

Hello:

I work for a consulting company and we are currently executing a
project for a customer who is located across the country. In order to
avoid frequent travel for integration, testing & deployment of the
various software modules we are developing, we decided to request the
client for VPN access to their network. All our desktops are behind a
firewall/NAT router and we are assigned DHCP addresses. In addition,
the VPN server in the client's site is behind a similar firewall/NAT
setup. Because of all the IP masquerading taking place, we are unable
to establish a successful VPN connection unless one of the two
machines is in a DMZ (outside the firewall, openly accessible on the
internet). The VPN setup at the client is by NetScreen and the
operating environment on both sides is primarily Microsoft-based.

Can somebody please advise us of solutions from their past
experiences or at least suggest possible workarounds/debugging methods
to resolve this issue?

Thanks a lot in advance,
Swaroop
Anonymous
May 21, 2004 12:32:42 AM

Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

In article <9ac24bd7.0405201219.21ff44d5@posting.google.com>,
swaroop1967@yahoo.com says...
> Hello:
>
> I work for a consulting company and we are currently executing a
> project for a customer who is located across the country. In order to
> avoid frequent travel for integration, testing & deployment of the
> various software modules we are developing, we decided to request the
> client for VPN access to their network. All our desktops are behind a
> firewall/NAT router and we are assigned DHCP addresses. In addition,
> the VPN server in the client's site is behind a similar firewall/NAT
> setup. Because of all the IP masquerading taking place, we are unable
> to establish a successful VPN connection unless one of the two
> machines is in a DMZ (outside the firewall, openly accessible on the
> internet). The VPN setup at the client is by NetScreen and the
> operating environment on both sides is primarily Microsoft-based.
>
> Can somebody please advise us of solutions from their past
> experiences or at least suggest possible workarounds/debugging methods
> to resolve this issue?

Would it be safe to assume that both remote networks are on the same
subnet? Meaning that you are using 192.168.1.X/24 (or any other) on both
sides?

If you don't use different subnets you will have no end to problems.

If you are going to start doing remote support you need to use a non-
standard subnet for your systems that will be contacting the remote
companies (like 192.168.250.x/24)....

Are you using the Netscreen VPN client tool?



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
May 21, 2004 12:36:20 AM

Archived from groups: comp.security.firewalls (More info?)

Swaroop Kumar wrote:

(snip)

> we are unable to establish a successful VPN connection unless one of the two
> machines is in a DMZ (outside the firewall, openly accessible on the
> internet).

You could try using a router with vpn support to act as the man in the
middle.

(snip)

> Thanks a lot in advance,
> Swaroop


--
May the ping be with you ....

Registered Linux user number: 355729
Related resources
Anonymous
May 21, 2004 3:24:26 AM

Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

Swaroop Kumar wrote:

> I work for a consulting company and we are currently executing a
> project for a customer who is located across the country. [...]

> Can somebody please advise us of solutions from their past
> experiences or at least suggest possible workarounds/debugging methods
> to resolve this issue?

Yes, if you pay.

Sorry, but if consultants start whining for free support ...

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel
Anonymous
May 21, 2004 10:35:29 AM

Archived from groups: comp.security.firewalls (More info?)

Thanks, Stalks. The problem is that it may be difficult to convince
them to change their router just for this purpose. I will use this
solution as a last resort, though.

Thanks again,
Swaroop
Anonymous
May 22, 2004 12:40:43 AM

Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

Hi Kumar

You will need an IPSec VPN product that supports the NAT-Traversal feature
(most modern IPSec solutions do).

With NAT-Traversal, IPSec will auto-detect the blocked ports and protocols
and switch to encapsulate the IPSec/IKE traffic in UDP - on port 4500.


--
Kind Regards,
Bjarne Jensen - bj@fx.dk
F/X Communications | Security software for professionals
Denmark - http://www.fx.dk


"Swaroop Kumar" <swaroop1967@yahoo.com> wrote in message
news:9ac24bd7.0405201219.21ff44d5@posting.google.com...
> Hello:
>
> I work for a consulting company and we are currently executing a
> project for a customer who is located across the country. In order to
> avoid frequent travel for integration, testing & deployment of the
> various software modules we are developing, we decided to request the
> client for VPN access to their network. All our desktops are behind a
> firewall/NAT router and we are assigned DHCP addresses. In addition,
> the VPN server in the client's site is behind a similar firewall/NAT
> setup. Because of all the IP masquerading taking place, we are unable
> to establish a successful VPN connection unless one of the two
> machines is in a DMZ (outside the firewall, openly accessible on the
> internet). The VPN setup at the client is by NetScreen and the
> operating environment on both sides is primarily Microsoft-based.
>
> Can somebody please advise us of solutions from their past
> experiences or at least suggest possible workarounds/debugging methods
> to resolve this issue?
>
> Thanks a lot in advance,
> Swaroop
Anonymous
May 22, 2004 1:51:03 AM

Archived from groups: comp.security.firewalls,comp.dcom.vpn (More info?)

"Swaroop Kumar" <swaroop1967@yahoo.com> wrote in message
news:9ac24bd7.0405201219.21ff44d5@posting.google.com...
> Hello:
>
> I work for a consulting company and we are currently executing a
> project for a customer who is located across the country. In order to
> avoid frequent travel for integration, testing & deployment of the
> various software modules we are developing, we decided to request the
> client for VPN access to their network. All our desktops are behind a
> firewall/NAT router and we are assigned DHCP addresses. In addition,
> the VPN server in the client's site is behind a similar firewall/NAT
> setup. Because of all the IP masquerading taking place, we are unable
> to establish a successful VPN connection unless one of the two
> machines is in a DMZ (outside the firewall, openly accessible on the
> internet). The VPN setup at the client is by NetScreen and the
> operating environment on both sides is primarily Microsoft-based.

it doesnt seem right that you charge for passing on free advice.... (the old
joke is that a consultant is someones who charges you to tell you the time
using your own watch)
>
> Can somebody please advise us of solutions from their past
> experiences or at least suggest possible workarounds/debugging methods
> to resolve this issue?

one (or both) end needs to act as a server, so you have to have a way to get
a connection to that unit from the internet - dmz would work, or VPN server
embedded in a firewall, or VPN appliance hardened interface connected
directly to the "outside".

then, you need a consistant addressing scheme - the vpn is basically a
routed network overlaid onto internet plumbing, and needs different subnets
at each place, routing and so on.

finally - you need a client that understands address translation. it doesnt
matter how many translations there are across the path, but you need to be
able to initiate a connection end to end - sometimes using TCP encapsulation
helps.
>
> Thanks a lot in advance,
> Swaroop
--
Regards

Stephen Hope - return address needs fewer xxs
!