IPSEC behind a PAT devices

Unanswered Question
Oct 23rd, 2008
User Badges:

Our firewall has multiple site-to-site VPN's as well as it supports Remote Access VPN (using an ASA). A number of RA users who are coming behind a PAT'd address are unable to VPN in, after doing some research I am seeing that a line needs to be added on both firewalls, ie:


isakmp nat-traversal 20


I fear though that this will "hurt" the site-to-site VPN based on this document:


http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.pdf


section : Enabling IPsec over NAT-T


Is there any problem enabling this command on the firewall without harming any of the site-to-site VPN's or even RA VPN's?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Thu, 10/23/2008 - 09:15
User Badges:
  • Cisco Employee,

Roni,


You are on the right path, "isakmp nat-traversal" should overcome the issues you are running with RA Users through PAT Device.


And Technically, by enabling "isakmp nat-traversal", you should not run into any issues with L2L Tunnels. Atleast, that is what I have seen with Cisco VPN Servers. In case, if you have L2L Tunnels configured to third party vendors, I would recommend that you enable this command during a "Maintenance Window" and if possible, clear the isakmp and ipsec sa's, and re-establish the tunnels. So, you know for sure that enabling the command did not break the L2L Tunnel Configuration/behavior.


Regards,

Arul


*Pls rate if it helps*

cisco24x7 Thu, 10/23/2008 - 15:50
User Badges:
  • Silver, 250 points or more

If you are doing L2L VPN between Cisco and

and Checkpoint and/or Juniper devices, be

sure to enter this command as well:


no crypto ipsec nat-transparency udp-encapsulation


that will ensure the the L2L VPN to use ESP

instead of sending udp/4500.

Actions

This Discussion