Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPSec through PAT

Unanswered Question
Apr 2nd, 2001
User Badges:


I have a client that needs to establish an IPSec tunnel from behind PAT on an 804 ISDN router. The router will be configured to get a dynamic address on the BRI from the ISP. The node that is running the vpn client is directly connected to the ethernet port of the router. Is there any way to get this to work? If so how? Thanks...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
c.albrisi Tue, 04/03/2001 - 23:24
User Badges:

I'm on a similar problem. I haven't tested yet, but I believe that you have to configure your VPN client using manual keys and with the same manual configuration on the other peer. You have to disable ISAKMP based on UDP port 500. You can refer to a configuration on "IPSEC user guide for the cisco secure PIX Firewall ver 5.3" is a pix 2 pix configuration but could be a good reference.

What about a Proxy instead of a cisco 8xx ?

tawye Tue, 04/10/2001 - 03:08
User Badges:

I have had this problem also in a similar (NAT) setup. ISAKMP would not work but Manual Keys were fine. I thinks it because the HASH on ISAKMP cant be turned off (you can only choose between MD5 or SHA) this and because of the NAT the packet will fail the HASH check.

arunv Mon, 05/21/2001 - 05:40
User Badges:

Hope your configuration would be working by now. I have implemented a VPN covering 130 retail sites. Each site with a PC, one Cisco 803 and one ISDN BRI. The problem you have mentioned bugged me a lot. I struggled with Cisco Secure client and Check Point's Securemote. The problem is that, you need true NAT for this to function properly. In case of and 803 router dialing an ISP, what we get is a variable IP address each time. So, a true inbound NAT cannot be established. I used ETrust VPN from Computer Associates. It has no issues working through PAT.

Other way is to have an IPSec tunnel between 803 BRI to the head office PIX. With PIX you can have Dynamic crypto maps which can handle the variable IP addresses from originating routers.

I spent quite sometime on this and I am happy the setup is working superb. If you still have problems or need more information, feel free to contact me.

jv128 Mon, 05/21/2001 - 13:57
User Badges:

can't be done and be secure in this set up

reccommend the cvpn3002


if connecting to a concentrator, you are ok. if you are connecting to a Pix, I would upgrade up to v6.0(1) on the Pix SW.

you will not be able to ping devices on the remote site from the main site. This is the only short coming of this.

If you do IPsec pass through, (if connecting to a pix on the main site, please take caution. Secondary connections do not re-authenticate with the SA and you are vulnerable to be hacked)


This Discussion