Re: ipsec and nat

JOHN APONTE · ‎04-18-2006

i am trying to get ipsec protocol 50/51 to work on a 2811 router that is doing nat. i have created an acl to allow esp/ah on the in/out int but still not working. is there anything else required to allow ipsec to work with nat.

johnd2310 · ‎04-18-2006

Hi

If you are trying to terminate the ipsec on a device behind the nat router, then you will have to configure a static on the router.

**Please rate posts you find helpful**

JOHN APONTE · ‎04-18-2006

what i am trying to do is allow a visitor/vendor to phone home using ipsec vpn client on a router that is running nat/overload. i have the following configured in the router and applied to the internal(private)and external(internet facing) interfaces.

ip access-list extended ipsec

remark SDM_ACL Category=4

permit esp any any

permit ahp any any

i am running sdm (security device mgr on the 2811)

thanks for your support.

jsteffensen · ‎05-03-2006

Am I getting this right?

- You have a visitor inside your network using a VPN Client.

- He has a IPSEC router with IPSEC NAT Transparrancy enabled at home.

- Your router is doing FW / NAT / PAT in between

If this is the case you should permit UDP IKE-NONE500 (i believe it is port 4500 (or 10000)) to travel through your router..

When using NAT Traversal, ESP is encaptulated i a UDP packet to be able to travel trough the NAT devices.

Hope This Helps

Greetings

Jarle