Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
0
Helpful
2
Replies

Enabling NAT-T still has not Resolved Problem

andeeeeuk
Level 1
Level 1

‎10-20-2003 01:23 PM - edited ‎03-09-2019 05:13 AM

This is what I previously wrote:............

I am wanting to use my cisco client 3.5 to access an authentication server on our customers network for administration duties.

I am using client 3.5 going through a Sonicwall Pro 300 firewall set for NAT and connecting to a 3005 concentrator which then authenticates the user via a a Radius Server.

I am able to authenticate from the client but am unable to use terminal services,vnc,telnet or even ping the destination server.

Where as when I use a dial-up connection via 3rd Party ISP I can authenticate and access the Radius server via terminal services etc etc.

I looked at the Sonicwall firewall to see if ipsec passthrough was available but unable to find it.

I find it strange that I can authenticate (establishing the tunnel) on my internal lan, but no do anything else.

I am assuming it has something to do with the sonicwall.

here is the path i am trying to achieve.

Cisco client-sonicwall-3005 concentrator-cygberguard firewall-authentication server.

---------------------------------------

I have enabled NAT-T - that is the UDP protocol on port 4500 on my sonicwall firewall and am still unable to use the VPN.Do I need to enable the Cyberguard Firewall for NAT-Traversal - UDP 4500.(that is in between the 3005 concentrator and the authentication server I am trying to connect to via terminal services)

It seems strange that I can authenticate initially.

Any thoughts or ideas would be grateful been looking at this for a while now without any progress.

Thanks

Andy

Labels:
0 Helpful
2 Replies 2

pkapoor
Level 3
Level 3

‎10-20-2003 04:26 PM

Hi Andy,

Check which one of the following is being done on the concentrator.

Under Configuration > System > Tunneling Protocols > IPSec > NAT Transparency

1. IPSec over TCP (port number, usually 10000)

2. IPSec over NAT-T

Also, check under the group settings (in the Client Config tab) whether IPSec over UDP is checked and the port number (usually 10000).

Then on your client, check the you have "Allow IPSec over UDP (NAT/PAT) under Transparent Tunneling. You probably do have it selected.

Now all depends on the concentrator settings.

- IPSec over TCP will take precedence

- Then comes IPSec over NAT-T

- Last comes IPSec over UDP

Based on these observations, you need to open the following ports.

For IPSec over TCP:

TCP port 10,000 (if that is the port configured).

For IPSec over NAT-T

UDP port 4500

For IPSec over UDP

UDP port 10,000 (if that is the port configured).

NOTE THAT THE PORTS NEED TO BE OPENED / PERMITTED IN BOTH DIRECTIONS.

That should do the trick. If not, let me know.

Paras

0 Helpful

dmcswiney
Level 1
Level 1

‎11-07-2003 10:17 AM

Hi Andy,

Don't know if you have this working yet but Cisco VPN client version 3.5 does not support NAT-T. Try using 3.6.

Regards

Dave

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents