VPN over Dynamic NAT

Unanswered Question
Mar 7th, 2007

Hi folks,

I have this problem. I built out a LAN for a customer using private IP addressing. On the WAN side I'm using a pool of public IP Addresses to provide NAT. The LAN works for most Internet applications including voice but I have an issue with users who want to connect to VPNs. WHen the user launches their client the VPN takes a very long time to connect and then no traffic passes in the tunnel so the VPN is unuseable at that point. If I set up a 1:1 static NAT for a user then they can successfully use their VPN.

Could it be because I'm using a pool of addresses for NAT the public address coulel be changing? Any way to get around this?

This happens whether they are using Cisco, Nortel or any other VPN.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 03/07/2007 - 05:56

This is an issue with nat-traversal. It's not an issue with your device, NAT-T needs enabled on the far end if they want users to be able to connect behind PAT.

vjokhoo Wed, 03/07/2007 - 07:26

Well the thing is, I am having the same problem when trying to connect to my VPN and I know for a fact that NAT Traversal is enabled on my VPN router.

If I use a 1:1 static NAT I can successfully connect. How about instead of using a pool of public addresses I use just one public address for NAT instead. The total number of users on the network will not cross 80-100 or so.

vjokhoo Wed, 03/07/2007 - 16:16

the vpn router is a nortel vpn router. nat traversal is enabled on it. but i discovered something today, i can use my cisco vpn. cisco vpn router is actually a 7401 router with vpn ios installed on it.

johnnykman Fri, 04/20/2007 - 13:32

When the Nortel VPN client can't connect, are you using PAT? I have a 506e with 6.3(5) and was not able to connect to a Nortel Contivity 5000 with Nat-t set to always encap udp 10001. After checking with a sniffer, I noticed that the source port of the PATed isakmp packets from the client was 0. The connection table showed a port translation of udp 500 to udp 500 on the PIX. Turns out, the sniffer was right. We were blocking the lower source ports to our VPN on our Internet router. With thoose lower ports open, Nortel VPN client works perfect.


This Discussion