L2TP / IPSec VPN...

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

We have a pix firewall and we want to be able to allow L2TP VPN connections
out for our users. If we map an internal system to a valid external IP
address and permit 1701 UDP, 500 UDP and ESP outbound and inbound, it works.
The problem is, we do not have 500 valid external addresses to provide this
functionality to everyone who requires it. If we permit the those ports
incoming to our global address (the one that everyone goes out on HTTP), the
VPN cannot connect. We are missing something and my best guess from what
information I can find is the following:

set nat entry add {internal device address} 1701 {outside NAT address} 1701
udp

That looks like it will still only work for one address, is this the right
entry to make or are we completely off. Please any assistance would be
appreciated. Clients have to be able to connect to this VPN from behind the
NAT firewall.

TIA
KeTTA

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

Ketta wrote:

> We have a pix firewall and we want to be able to allow L2TP VPN connections
> out for our users. If we map an internal system to a valid external IP
> address and permit 1701 UDP, 500 UDP and ESP outbound and inbound, it works.
> The problem is, we do not have 500 valid external addresses to provide this
> functionality to everyone who requires it. If we permit the those ports
> incoming to our global address (the one that everyone goes out on HTTP), the
> VPN cannot connect. We are missing something and my best guess from what
> information I can find is the following:

Excuse me,

I think You want to provide your users to VPN _in_ to your corporate
network.

Therefore only your corporate VPN gateway needs a fixed and routable IP
address. The clients can use dynamic addresses (that is addresses
provided them by their isp).

For L2TP you only need UDP port 1701

--
Martin Bodenstedt

www.landtag-bw.de / www.die-bodenstedts.de

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

We have a userbase of aproximately 500 people, physically in the same
building behind a PIX firewall. Some of these users must use a VPN client
to connect to other facilities in another country that allows incoming VPN
connections. The issue is, we can get each user connected to the VPN in the
other facility of we assign them a valid internet IP address specifically in
the firewall (ie: 192.168.10.2 = <valid ip>). When the internal address is
not assigned to a valid IP, the connectivity fails. We thought simply
opening those ports would suffice, but we must be missing something. We do
not want to provide VPN connectivity for mobile users into our coprorate
network, only VPN capability out to other networks. I am probably making no
sense.

Thank you for the response,
Ketta

"Martin Bodenstedt" <martin.bodenstedt@gmx.de> wrote in message
news:cjh5f4$bar$1@news.BelWue.DE...

> Excuse me,
>
> I think You want to provide your users to VPN _in_ to your corporate
> network.
>
> Therefore only your corporate VPN gateway needs a fixed and routable IP
> address. The clients can use dynamic addresses (that is addresses
> provided them by their isp).
>
> For L2TP you only need UDP port 1701
>
> --
> Martin Bodenstedt
>
> www.landtag-bw.de / www.die-bodenstedts.de