How To Open Ports on NAT Server

[mickeytech]

I am trying to setup VPN access through a NAT server. I am informed to open up UDP port 500, TCP ports 5080, 389, 50, etc. to allow IPSEC traffic to go through. I wonder if someone could tell me HOW to open those ports on a NAT server. Thank you in advance!

Mickey

 

[RichardHuang]

Your VPN server is in the same server with NAT or in a defferent one? You had better put them in the same machine. Also, IPSec can't go through NAT. You need to use PPTP if your VPN pass through a NAT.

 

[dholbrook]

VPN is slight of hand, smoke and mirrors, and is easily blocked by lots of things, so don't get too frustrated. Open ports, etc., is not the simple answer to make it all work.

Richard is correct, by its very design VPN WILL NOT PASS through a NAT firewall. There are exceptions to this, as I use a SonicWall firewall that does allow the VPN clients to pass thru under NAT, but only their specific VPN software will work.

As for opening the ports, that depends on the firewall you are using, as they all do it differently. Checkpoint, for example, will bring up complete tables which allow you to pick and choose the UDP and TCP ports. My Watchguard firewall provides a place where you enter each specific ports and type. I believe SonicWall uses rules and tables(have not done it lately, just barely recall!) which can block services, etc.

If you set up the VPN to terminate on the server that is doing the NAT (I.E., the one providing the firewall functions), then the VPN link does not have to pass through the NAT, provided the data you want to access is on that system. This type of VPN link is secure betwee the two end points only, not all the way to an intewrnal server. There are also Group VPN and Single VPN tunnels, etc., all of which do things differently.

Making the VPN link go through the firewall and see a connection point at a NAT address is a lot more tricky, and there in is the problem. The NAT point changes TCP/IP values in the data stream of the traffic to replace the inside and outside addresses. You can not do this to the VPN link since it has been encrypted with the original information, and changing the bit stream values breaks the decryption of the data (very complex, but interesting).

What exactly are you trying to do?

HTH

David

 

[mickeytech]

Thank you very much, guys, for the input.

In the past, Microsoft didn't support IPSEC over NAT. With the lastest Win2k updates, it is supposed to support IPSEC over NAT.

My problem is that any client behind the NAT are not able to connect to an external VPN server across the internet. If I connect the client directly to the internet bypassing the NAT, it is working fine. If I put the VPN client software directly on the NAT server, it is also working ok with VPN, but blocking all client connections to the internet, obviously, the NAT part is disabled, which I can not afford to lose. Using a VPN client behind the NAT, I got an 'IPSEC Terminater not found ...' error.

The VPN server I am trying to connect is hosted by AT&T. I called AT&T and was informed that they are using l2tp and IPSEC drivers are needed and loaded by the AT&T client software at the client workstation to initiate the tunneling. I was also instructed to open those ports:
UDP 500, 4500, TCP 50, 5080, 379... on the NAT Server/Router.

I tried mapping those ports on the NAT/Router public interface card configruations to the internal private interface, but STILL couldn't get the tunneling to go through the NAT. Any suggestions would be greatly appreciated. I am working on this on and off for a few months already and have been trying not to get too frustrated... Thank you again!

Mickey