Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC through NAT

I need to setup an IPSEC session between two routers that can 'see'

eachother though a NAT router.

R1 --------- NAT ----------- R2

The IP addresses of both routers are statically NAT'ed.

From R1' point of view:

R1 = 10.1.1.1, R2 = 10.1.1.2

set peer on R1 = 10.1.1.2

From R2' point of view:

R2 = 172.18.1.1, R1 = 172.18.1.2

set peer on R2 = 172.18.1.2

Would the following transform-set work : esp-3des esp-md5-hmac between the two routers and through the NAT device?

1 REPLY
Cisco Employee

Re: IPSEC through NAT

Yep, that should work, as long as it's a one-to-one mapping and you point the peer to the NAT address (or the address that each uses to see each other).

Just don't use an AH transform cause that doesn't work thru a NAT device cause it checks the entire packet, including the source/dest IP address, and if this changes in between the two then it'll fail.

180
Views
0
Helpful
1
Replies