1. Home
  2. Cisco Systems
  3. NAT-T + VPN Tunnel

NAT-T + VPN Tunnel

Assuming that I have the following:

-------------------Router--------------PIX--------------LAN

(Public Outside) (Private Inside)

And the router on the outside has a static translation for the PIX outside interface. Assuming I am building a VPN between the PIX outside interface and a destination network somewhere on the Internet, I assume I would need to account for NAT-T.

A colleague of mine was tasked to get this working for a customer and his IKE phase 1 negotiation was unsuccessfull. We thought initially that the Phase 1 parameters were inconsistent, however, something tells me NAT-T may also be a possibility.

Regards

Darren

Reply to
Darren Green
Loading thread data ...

It would help, yes.

You have not really given us enough information.

When you debug crypto ipsec 2 debug crypto isakmp 2 on the PIX then do you see the conversation getting as far as sending NAT-T probes?

Reply to
Walter Roberson

This topic has been around for years (see

formatting link
and discussed multiple times in this forum, you might try a search for "NAT traversal" and IPsec, the problems are not limited to Cisco and there are more than one. You seem to be getting hung up on the initial key exchange which uses port 500. Your NAT is probably assuming overloading and changing the port to one Cisco does not recognize. Once you get past the key exchange, you'll also be challenged by the NAT interfering with AH and ESP.

Bottom Line: The NAT Traversal (NAT-T) feature, introduced in PIX Firewall version 6.3, is required to establish an IPsec tunnel through an external NAT. If you are not running at least PIX OS 6.3, you will need to upgrade. Similarly, your Cisco VPN client must be at version 3.6 or newer. A little searching on

formatting link
should uncover some sample configurations appropriate for your client's needs.

Good luck and have fun!

Reply to
Vincent C Jones

Thanks Vincent & Walter for your replies.

My difficulty here was having to talk a colleague through this remotely and get him to run the debugs. It was only after I thought about NAT-T.

I'll see if I can access the device myslef to troubleshoot first hand.

Regards

Darren

Reply to
Darren Green

Thanks Vincent & Walter for your replies.

My difficulty here was having to talk a colleague through this remotely and get him to run the debugs. It was only after I thought about NAT-T.

I'll see if I can access the device myslef to troubleshoot first hand.

Regards

Darren

Reply to
Darren Green

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.