VPN outbound and NAT Pools

Unanswered Question
Mar 1st, 2007

We are using NAT addressing on our internal LAN. In order for someone to use IPSEC to VPN to their home network does the client on our network have to have a NAT address with a static outside address or will it work from a NAT Pool?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Thu, 03/01/2007 - 11:51

It depends whether or not remote end supports NAT-T (nat-traversal). This will allow ipsec and PAT to work together.

randyclark Thu, 03/01/2007 - 11:58

What we have on our side is the following.

Private IP ----> ASA5520-->NAT POOL-->Internet.

It would be up to the client to make the remote end work. All I have to know is if the client will work through our NAT Pool without making an static entry. Save opening the IPSEC port for that network range. Also would it require any by direction ports to be opened.

kaachary Sat, 03/03/2007 - 05:42

Hi Randy,

Since the "fixup protocol esp" command is no longer supported with ASA. The only correct way to make ASA IPSec passthrough and to get it to work through Natting is, the headend device should be NAT-T compatible.

In other words, the headend device and the client should support NAT-T and it should be enabled on both of them.

It doesn't matter if you use NAT pool or PAtted ip address, as long as you have NAT-T enabled.

It would work.

*Please rate if helped.



This Discussion