Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec Through Network Address Translation Support

A new feature was added to 12.2(13)T which is IPSec Through Network Address Translation Support. I believe this should allow me to connect a PC running the new VPN client to a PIX firewall VPN that does not support the NAT Traversal techniques of using a TCP or UDP wrapper.

I have configured my router with the following commands:

ip nat inside source list 21 interface Dialer1 overload

ip nat inside source static esp interface Dialer1

ip nat inside source static interface Dialer1

The VPN connects and authenticates but I cannot ping any devices. When I send out pings the VPN client shows packets encrypted but packets decrypted remains at 0.

I have set the MTU on the LAN interface at 1200.

Thanks in advance for any help.


Re: IPSec Through Network Address Translation Support


The feature you are talking about is called "NAT-T", which is auto-detected and auto-negotiated.If you are using NAT-T, then your packets will be encapsulated in UDP 4500 rather than the IP protocol 50.

If you are running 12.2(13)T and NAT-T is not getting negotiated, them make sure that you are running 3.6 version of the VPN client. Plus, make sure that in the debugs, NAT-T is getting negotiated as well