04-18-2006 11:16 AM - edited 02-21-2020 02:22 PM
i am trying to get ipsec protocol 50/51 to work on a 2811 router that is doing nat. i have created an acl to allow esp/ah on the in/out int but still not working. is there anything else required to allow ipsec to work with nat.
04-18-2006 12:22 PM
Hi
If you are trying to terminate the ipsec on a device behind the nat router, then you will have to configure a static on the router.
04-18-2006 12:36 PM
what i am trying to do is allow a visitor/vendor to phone home using ipsec vpn client on a router that is running nat/overload. i have the following configured in the router and applied to the internal(private)and external(internet facing) interfaces.
ip access-list extended ipsec
remark SDM_ACL Category=4
permit esp any any
permit ahp any any
i am running sdm (security device mgr on the 2811)
thanks for your support.
05-03-2006 03:58 AM
Am I getting this right?
- You have a visitor inside your network using a VPN Client.
- He has a IPSEC router with IPSEC NAT Transparrancy enabled at home.
- Your router is doing FW / NAT / PAT in between
If this is the case you should permit UDP IKE-NONE500 (i believe it is port 4500 (or 10000)) to travel through your router..
When using NAT Traversal, ESP is encaptulated i a UDP packet to be able to travel trough the NAT devices.
Hope This Helps
Greetings
Jarle
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: