LAN2LAN IPSEC behind a 1-to-1 NAT

pavlosd · ‎12-20-2008

Hi All,

We have a client that we need to do LAN2LAN IPSEC with, but their VPN Gateway (PIX firewall) is behind a NAT. Will it work? Their PIX's outide interface is NATed to a public Address.

andrew.prince · ‎12-20-2008

Yes it will work - they just have to MAKE SURE they perform a 1:1 NAT for the IP address and not PAT - as ESP is a protocol and cannot be port translated, and AH is broken by NAT.

HTH>

pavlosd · ‎12-22-2008

OK. We will test it.

But since you mentioned it, If one end is behind a PAT, do we need to use NAT-T or something? or still will not work?

Regards.

pedro_ortale · ‎12-23-2008

It should work but only the peer behind the NAT may initialize the conection using NAT-T (ESP tunneled via UDP). IF the remote peer try to initiate the tunnel nothing will happen because you dont have an xlate telling to the outside the local IP of the gateway.

Rgds,

Pedro

cisco24x7 · ‎12-23-2008

That is NOT true. ESP will work as well. For

example, you want to do L2L VPN between R1 and

R3 but you only have one public IP address on

R2.

R1----Internet--(F0/0)R2(F0/1)----R3

Let say R1 external is 1.1.1.1, R2 F0/0 has

an IP of 1.1.1.2. R2 F0/1 has an IP address

of 192.168.1.1 and R3 has an IP address of 192.168.1.3.

here is how you do it:

R2:

interface F0/0

ip nat outside

ip address 1.1.1.2

interface F0/1

ip address 192.168.1.2

ip nat inside

ip nat inside source static udp 500 192.168.1.3 interface F0/0 500

ip nat inside source static esp 192.168.1.3 interface F0/0

NOW, YOU CAN DO L2L IPSEC VPN BETWEEN R1 AND

R3 USING ESP WITHOUT USING NAT-T. YOU CAN

TEST BY USING "NO CRYPTO IPSEC NAT UDP" ON

R3.

This is a classic VPN problem.

pedro_ortale · ‎12-23-2008

Its true, but my post is assuming that he can't do any static in the path.

rgds