Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSEC and NAT

I have a customer that uses NAT to connect to the web. He would now like to connect to one of his servers from the web using IPSEC. This server has a static NAT entry.

I am worried that due to the NAT process sitting in between the hosts that the IPSEC tunnel will not work.

Please advise.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: IPSEC and NAT

Assuming you are using ESP encapsulation, static NAT should work. PAT will have problems and AH encapsulation will not work. You will also need to open up an inbound ESP conduit and probably IKE (UDP 500) on the firewall.

6 REPLIES
Cisco Employee

Re: IPSEC and NAT

What exactly is he connecting to though? Is he connecting straight to the server using IPSec, cause that would be a little unusual? Normally he'll be connecting toa device (router/firewall) in front of the server and that will be terminating his IPSec tunnel, and yes, it's possible the NAT will cause problems.

I can't tell you for sure how to fix it or if it will be a problem until you tell us the exact setup.

New Member

Re: IPSEC and NAT

They want to do remote administration of the server using a VPN client on a pc connecting to the web , which must in turn terminate the tunnel directly on the server also running the VPN client( client will most probably be Microsoft's).

The problem with terminating the tunnel on a device (Customer has a 3640 on site) is that there are a number of devices between their router and the web. Their router links to 7200 (PE) which in turn connects to a 3660 and then through a pix to the internet router. The NAT is being done on the 3660.

I imagine that terminating the tunnel on the external PIX would be the best solution but they also have ISDN dial-up connections which terminates on the 3660 mentioned , which they also want to use for the admin connection , and the NAT will still influence both.

Cisco Employee

Re: IPSEC and NAT

You can't terminate an IPSec tunnel from a client directly onto another client, IPSec doesn't work like that. The tunnel will have to be terminated on a router or firewall before the end device.

New Member

Re: IPSEC and NAT

I am well aware that the Cisco implementation of IPSEC does not support this configuration and we are advising the customer to rather terminate all tunnels on his router and to use the Cisco client on the PC/Workstations as well (Makes it easier for us to support if required).

The customer wanted to use the Microsoft version of IPSEC client which apparently can do this , either way it does not change the configuration of the network , whether I terminate the tunnel on a firewall or router it still has to pass through the NAT which is the reason for my concern. Will the NAT break the IPSEC tunnel.

New Member

Re: IPSEC and NAT

Assuming you are using ESP encapsulation, static NAT should work. PAT will have problems and AH encapsulation will not work. You will also need to open up an inbound ESP conduit and probably IKE (UDP 500) on the firewall.

New Member

Re: IPSEC and NAT

Thanks ,this did the trick using the Cisco client and terminating the tunnel on their router the customers can now do the required admin via an IPSec tunnel either via dial-up or the web.

Thx.

369
Views
0
Helpful
6
Replies
CreatePlease to create content