Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Enabling NAT-T still has not Resolved Problem

Unanswered Question
Oct 20th, 2003
User Badges:

This is what I previously wrote:............

I am wanting to use my cisco client 3.5 to access an authentication server on our customers network for administration duties.

I am using client 3.5 going through a Sonicwall Pro 300 firewall set for NAT and connecting to a 3005 concentrator which then authenticates the user via a a Radius Server.

I am able to authenticate from the client but am unable to use terminal services,vnc,telnet or even ping the destination server.

Where as when I use a dial-up connection via 3rd Party ISP I can authenticate and access the Radius server via terminal services etc etc.

I looked at the Sonicwall firewall to see if ipsec passthrough was available but unable to find it.

I find it strange that I can authenticate (establishing the tunnel) on my internal lan, but no do anything else.

I am assuming it has something to do with the sonicwall.

here is the path i am trying to achieve.

Cisco client-sonicwall-3005 concentrator-cygberguard firewall-authentication server.


I have enabled NAT-T - that is the UDP protocol on port 4500 on my sonicwall firewall and am still unable to use the VPN.Do I need to enable the Cyberguard Firewall for NAT-Traversal - UDP 4500.(that is in between the 3005 concentrator and the authentication server I am trying to connect to via terminal services)

It seems strange that I can authenticate initially.

Any thoughts or ideas would be grateful been looking at this for a while now without any progress.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pkapoor Mon, 10/20/2003 - 16:26
User Badges:

Hi Andy,

Check which one of the following is being done on the concentrator.

Under Configuration > System > Tunneling Protocols > IPSec > NAT Transparency

1. IPSec over TCP (port number, usually 10000)

2. IPSec over NAT-T

Also, check under the group settings (in the Client Config tab) whether IPSec over UDP is checked and the port number (usually 10000).

Then on your client, check the you have "Allow IPSec over UDP (NAT/PAT) under Transparent Tunneling. You probably do have it selected.

Now all depends on the concentrator settings.

- IPSec over TCP will take precedence

- Then comes IPSec over NAT-T

- Last comes IPSec over UDP

Based on these observations, you need to open the following ports.

For IPSec over TCP:

TCP port 10,000 (if that is the port configured).

For IPSec over NAT-T

UDP port 4500

For IPSec over UDP

UDP port 10,000 (if that is the port configured).


That should do the trick. If not, let me know.


dmcswiney Fri, 11/07/2003 - 10:17
User Badges:

Hi Andy,

Don't know if you have this working yet but Cisco VPN client version 3.5 does not support NAT-T. Try using 3.6.




This Discussion