×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPSec and NAT

Unanswered Question
Apr 12th, 2004
User Badges:

Hi,


I've a basic question related to support for NAT with IPSec. I understand that it is not possible to do NAT after IPSec encryption of packets. The workaround when NAT is involved in tne path is to use NAT-Transparency. But the document on CCO at http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml has steps for configuring VPN when a firewall in between the IPsec PATH is doing NAT. I've not tested this setup but was wondering if the configuration suggested in the CCO document would work. Any ideas?


Thanks,

Krishna

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
lchen2 Mon, 04/12/2004 - 17:35
User Badges:

You can still do NAT after IPSec encryption. The key here is to use protocol ESP not AH as AH would authenticate the ip header and NATting the ip address would fail the AH authentication.


The link on CCO will work. Just one more thing, when configuring the access-list on the pix sitting b/t the ipsec peers, make sure UDP/4500 is allowed. IPSec NAT-Traversal uses UDP/4500.


Actions

This Discussion