12-20-2008 05:59 AM - edited 02-21-2020 04:06 PM
Hi All,
We have a client that we need to do LAN2LAN IPSEC with, but their VPN Gateway (PIX firewall) is behind a NAT. Will it work? Their PIX's outide interface is NATed to a public Address.
12-20-2008 07:19 AM
Yes it will work - they just have to MAKE SURE they perform a 1:1 NAT for the IP address and not PAT - as ESP is a protocol and cannot be port translated, and AH is broken by NAT.
HTH>
12-22-2008 10:27 PM
OK. We will test it.
But since you mentioned it, If one end is behind a PAT, do we need to use NAT-T or something? or still will not work?
Regards.
12-23-2008 03:18 AM
It should work but only the peer behind the NAT may initialize the conection using NAT-T (ESP tunneled via UDP). IF the remote peer try to initiate the tunnel nothing will happen because you dont have an xlate telling to the outside the local IP of the gateway.
Rgds,
Pedro
12-23-2008 04:06 AM
That is NOT true. ESP will work as well. For
example, you want to do L2L VPN between R1 and
R3 but you only have one public IP address on
R2.
R1----Internet--(F0/0)R2(F0/1)----R3
Let say R1 external is 1.1.1.1, R2 F0/0 has
an IP of 1.1.1.2. R2 F0/1 has an IP address
of 192.168.1.1 and R3 has an IP address of 192.168.1.3.
here is how you do it:
R2:
interface F0/0
ip nat outside
ip address 1.1.1.2
interface F0/1
ip address 192.168.1.2
ip nat inside
ip nat inside source static udp 500 192.168.1.3 interface F0/0 500
ip nat inside source static esp 192.168.1.3 interface F0/0
NOW, YOU CAN DO L2L IPSEC VPN BETWEEN R1 AND
R3 USING ESP WITHOUT USING NAT-T. YOU CAN
TEST BY USING "NO CRYPTO IPSEC NAT UDP" ON
R3.
This is a classic VPN problem.
12-23-2008 07:09 AM
Its true, but my post is assuming that he can't do any static in the path.
rgds
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide