Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN tunneling question

Status
Not open for further replies.
ianicr

ianicr

IS-IT--Management
Joined
Nov 4, 2003
Messages
230
Location
GB
Hi, We've got a remote office with a Cisco firewall. Our office uses a RH9 box as a firewall/router. The cisco firewall only allows one connection per IP. We've jusdt got a new member of staff who needs to use the VPN. Can anyone tell me if theres a way to use the RH9 box to tunnel through to the VPN?
 
Sort by date Sort by votes
so can I use openvpn to tunnel to the cisco box?
 
Upvote 0 Downvote
No, you cannot use openvpn for your cisco based solution
afaik.

Well it seems you have a problem.
Without knowing your configuration I can't say for certain,
whether a pool of suitable addresses actually exists but
the snat chain in the nat table is the best way to deal
with your issue if addresses are available.

Code: 
   SNAT
       This target is  only  valid  in  the  nat  table,  in  the
       POSTROUTING  chain.   It specifies that the source address
       of the packet should be modified (and all  future  packets
       in this connection will also be mangled), and rules should
       cease being examined.  It takes one option:

       --to-source  <ipaddr>[-<ipaddr>][:port-port]
              which can specify a single new source  IP  address,
              an inclusive range of IP addresses, and optionally,
              a port range (which is only valid if the rule  also
              specifies  -p  tcp or -p udp).  If no port range is
              specified, then source  ports  below  512  will  be
              mapped  to other ports below 512: those between 512
              and 1023 inclusive will be mapped  to  ports  below
              1024,  and  other  ports  will be mapped to 1024 or
              above. Where  possible,  no  port  alteration  will
              occur.
 
Upvote 0 Downvote
So I can use SNAT to give clients an external IP?
 
Upvote 0 Downvote
If you have them, yes.
 
Upvote 0 Downvote
Yes I have spare external IPs. How would I go about setting that up?
 
Upvote 0 Downvote
So that would map whatever is in $localbet to the range 10.21.3.1 yes? So if i run:

iptables -t nat - A POSTROUTING -s 192.168.2.81 -p udp -j SNAT --to 82.100.100.100

that will make everything from 192.168.2.81 look like its come from 82.100.100.100? obviously with a correct spare external IP address...
 
Upvote 0 Downvote
Out of curiosity, why won't OpenVPN talk to Cisco? Is one of them not using IPSec standards?
 
Upvote 0 Downvote
According to the guys that run the cisco firewall I only need UDP. So I've got my machine at 192.168.2.81. Should the rule above make all UDP traffice from 192.168.2.81 come from 82.100.100.100? because I've tried it and when the connection to the VPN is made it still says its coming from my original IP...
 
Upvote 0 Downvote
Okay.
I've just tested this situation and it works flawlessly.
Configuration:
Code: 
eth0:2    Link encap:Ethernet  HWaddr foobar
          inet addr:123.21.3.4  Bcast:123.255.255.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:3

eth0:3    Link encap:Ethernet  HWaddr foobar
          inet addr:12.21.3.4  Bcast:12.255.255.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:3

Now I add this rule:
Code: 
iptables -t nat -A POSTROUTING -s 12.21.3.4 -j SNAT --to 123.21.3.4

Now since I have no legitimate routes, none of this
traffic can be empirically proven by conventional connectivity tests. However,tcpdump is my buddy.;)

Code: 
ping -I 12.21.3.4 [URL unfurl="true"]www.yahoo.com[/URL]
PING [URL unfurl="true"]www.yahoo.akadns.net[/URL] (216.109.118.75) from 12.21.3.4 : 56(84) bytes of data

and tcpdump says:
Code: 
2:25:38.431845 IP 123.21.3.4 > p7.[URL unfurl="true"]www.dcn.yahoo.com:[/URL] icmp 64: echo request seq 1
12:25:39.441754 IP 123.21.3.4 > p7.[URL unfurl="true"]www.dcn.yahoo.com:[/URL] icmp 64: echo request seq 2
12:25:40.441613 IP 123.21.3.4 > p7.[URL unfurl="true"]www.dcn.yahoo.com:[/URL] icmp 64: echo request seq 3
12:25:41.441461 IP 123.21.3.4 > p7.[URL unfurl="true"]www.dcn.yahoo.com:[/URL] icmp 64: echo request seq 4
12:25:42.441307 IP 123.21.3.4 > p7.[URL unfurl="true"]www.dcn.yahoo.com:[/URL] icmp 64: echo request seq 5

Pretty cool. Run tcpdump against the src address you are
hoping to snat and see what's going on.
 
Upvote 0 Downvote
You can also allow multiple VPN clients on a single IP address to access the Cisco Pix. Enabling "nat traversal" on the Pix fixed it in my situation.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AbidingDude
  • Locked
  • Question Question
Newbie Apache Cache Question
Replies
5
Views
912
AbidingDude
AbidingDude
johngiggs
  • Locked
  • Question Question
Regex Question
Replies
1
Views
508
johngiggs
johngiggs
abrooks3640
  • Locked
  • Question Question
Two Servers on One Machine - iframe question
Replies
0
Views
255
abrooks3640
abrooks3640
bithead9
  • Locked
  • Question Question
Any good clientless VPN solutions either free or Open Source
Replies
2
Views
444
bithead9
bithead9
giovanni4000
  • Locked
  • Question Question
Accessing LAMP application behind VPN
Replies
8
Views
507
IPGuru
IPGuru

Part and Inventory Search

Sponsor

Back
Top