VPN tunnel with NAT traversal

Hi everyone,

I recently upgraded a PIX 501 from version 6.2.x to version 6.3.4 in order to take advantage of the NAT-T ability when setting up an IPSec VPN. It seems that all there is to it is the "isakmp nat-traversal" command, but I still can't get it to work. Is there any way to customize the NAT transparency, such as changing the UDP port of the encapsulation? Will NAT-T get applied if the PIX is set up as a hardware VPN client? I have been playing around with setting up a PIX-to-Concentrator VPN connection, where the PIX is sitting behind another PIX doing NAT/PAT, but have not been able to establish the tunnel. The exact same setup works if using a software VPN client, however (the Concentrator reports the software connection as "IPSec/NAT-T"). The Concentrator's log during the establishment of the tunnel shows no activity, so is there any way to do a "debug icmp trace" or any other similar debug command on the Concentrator?

My apologies for leaving out the gory details of the setups, but I think that I am missing something conceptually, not technically.

I would be very grateful for any insight someone might offer.



Reply to
Bohdan Yaremko
Loading thread data ...



The VPN client will try TCP 10000 (I think it is) as well as the now-standardized ports.

For standardized NAT-T, UDP 500 and UDP 4500 must be permitted as destinations. Note, though, that if there is not NAT detected then the standard IPSec will be used -- UDP 500, and IP protocol 50 (ESP) and potentially IP protocol 51 (AH).

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.