Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1067
Views
4
Helpful
4
Replies

Firewall Services Mod (Transparent Mode) VPN issues

jbanker
Level 1
Level 1

‎11-21-2006 03:14 PM - edited ‎03-11-2019 01:59 AM

I am using a FWSM in transparent mode on a 6509 and I am running into issues using the Microsoft VPN client with NAT. Currently, I have NAT setup on my router and when I try to VPN to an outside VPN server I cannot get authenticated. If I try the same VPN server using a public IP behind the same context it works no problem. I know this is an issue with NAT not knowing how to get back to the 192.168.x.x address but I do not know how to resolve the issue. I am using NAT overload so I would need to get back to the address (source) without doing a 1 to 1 NAT. Any ideas? Thanks

Labels:
0 Helpful
4 Replies 4

bstremp
Level 2
Level 2

‎11-27-2006 12:31 PM

If the NAT works fine VPN needs to work.Make sure when the packet goes out it gets a public ip address from the NAT configuration.Because private internet address do not have routing in the internet.

0 Helpful

ksudi
Level 1
Level 1

‎11-27-2006 06:38 PM

If you can reach the VPN server and cannot authenticated,most vpn client will fail probably because the vpn ports are taken by another vpn session or the NAT process dynamic port assignment is conflict with ports required to a vpn tunnel. A one to one static NAT should solve this issue.

Thanks

Karar

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to ksudi

‎11-27-2006 07:44 PM

Hi .. when trying to stablish a VPN from behind a device which does NAT /PAT you need to enable nat traversal on the device terminating the VPN in this case the VPN server. Also the VPN client needs to be configured for NAT-transparency .. on cisco clients this is normally done by encapsulating ESP on UDP 4500 .. This allows the NAT /PAT otherwise you will have problems mainly because ESP and NAT/PAT are not compatible. You also need to make sure that UDP 4500 and UDP 500 can traverse the device doing NAT/PAT by checking the access lists aplpied to it.

I hope it helps .. please rate if it does.

jbanker
Level 1
Level 1
In response to Fernando_Meza

‎11-28-2006 08:28 AM

Thanks for the info! The VPN Server we are currently connecting to uses PPTP. I can reach the VPN Server but not authenticate. I will contact the owner and see if Nat-T is setup on his end. Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card