A new feature was added to 12.2(13)T which is IPSec Through Network Address Translation Support. I believe this should allow me to connect a PC running the new VPN client to a PIX firewall VPN that does not support the NAT Traversal techniques of using a TCP or UDP wrapper.
I have configured my router with the following commands:
ip nat inside source list 21 interface Dialer1 overload
ip nat inside source static esp 192.168.0.1 interface Dialer1
ip nat inside source static 192.168.0.1 interface Dialer1
The VPN connects and authenticates but I cannot ping any devices. When I send out pings the VPN client shows packets encrypted but packets decrypted remains at 0.
Re: IPSec Through Network Address Translation Support
The feature you are talking about is called "NAT-T", which is auto-detected and auto-negotiated.If you are using NAT-T, then your packets will be encapsulated in UDP 4500 rather than the IP protocol 50.
If you are running 12.2(13)T and NAT-T is not getting negotiated, them make sure that you are running 3.6 version of the VPN client. Plus, make sure that in the debugs, NAT-T is getting negotiated as well
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...