topic Re: Don't Port that thing at me! in General Topics

Don't Port that thing at me!

Razerback — Thu, 21 Sep 2017 02:42:31 GMT

Hi All,

Heres my problem, I am setting up a L2TP/IPsec remote access VPN for staff and I am having issues with the IKE traffice on port 500. We are using an internal RRAS server which I have set the palo up to NAT all port 500 traffic and IKE services to once it hits our outside interface. We also currently have 2 Site-to-Site VPNs setup and running on the same outside interface, this is causing conflict. How can I direct/filter the remote access VPN traffic to the RRAS with out effecting the site-to-site traffic? I am out of ideas.

Any help will be much appreciated.

Thanks

Re: Don't Port that thing at me!

Raido_Rattameister — Thu, 21 Sep 2017 04:54:40 GMT

This traffic to RRAS is coming from roaming users with changing IPs?

If so then create 2 NAT rules.

Top one:

From untrust to untrust.

Specify source address (your IPSec peer IPs) and destination IP (interface IPSec runs on your side).

Leave Source NAT and Destination NAT unconfigured.

Second rule is for regular DNAT rule to nat port 500 to RRAS.

First rule will avoid applying NAT for site-to-site IPSec.

Re: Don't Port that thing at me!

Razerback — Thu, 21 Sep 2017 05:29:23 GMT

So How can I define Peers Source IP's if they are roaming?

Re: Don't Port that thing at me!

Raido_Rattameister — Thu, 21 Sep 2017 05:59:13 GMT

You specify source IP on first rule.

In this rule you specify those 2 peer IPs.

You said: "We also currently have 2 Site-to-Site VPNs setup and running on the same outside interface"

In second rule that matches roaming users you leave source IP to Any.

Re: Don't Port that thing at me!

Razerback — Thu, 21 Sep 2017 06:48:21 GMT

Ah right, let me give this a try and let you know how it goes.

Re: Don't Port that thing at me!

pulukas — Thu, 21 Sep 2017 20:41:15 GMT

If that doesn't work for you, ask the MS admin to change to PPTP on the RRAS server and this will use port 1723 and GRE 47 instead.

Re: Don't Port that thing at me!

Razerback — Wed, 27 Sep 2017 04:03:56 GMT

Raido - Still a no go. it wont allow both to run side by side, only one of the other.

pulukas - We currently have a PPTP VPN setup, we are tying to move away from that protocal to something more secure.

Re: Don't Port that thing at me!

Raido_Rattameister — Wed, 27 Sep 2017 04:36:03 GMT

Not sure what stops from having 2 NAT rules?

Use following example.

1.1.1.1 is your firewall wan IP

5.5.5.5 is IPSec peer IP

10.10.10.10 is PPTP IP in your internal network.

First rule avoids applying NAT for traffic from IPSec peer so traffic hits firewall wan IP.

Second rule will NAT everything else further.

You probably want to add udp-500 port into Service field to be more specific.

Re: Don't Port that thing at me!

Razerback — Thu, 28 Sep 2017 22:58:37 GMT

After a few days of testing, looks like everything is working well. I removed port 500 from the NAT translated port option and added UDP port 500 to services, no conflicts so far. Thanks for all your help, I really appreciate it.