Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSec through PAT

Hello,

I have a client that needs to establish an IPSec tunnel from behind PAT on an 804 ISDN router. The router will be configured to get a dynamic address on the BRI from the ISP. The node that is running the vpn client is directly connected to the ethernet port of the router. Is there any way to get this to work? If so how? Thanks...

5 REPLIES
New Member

Re: IPSec through PAT

I'm on a similar problem. I haven't tested yet, but I believe that you have to configure your VPN client using manual keys and with the same manual configuration on the other peer. You have to disable ISAKMP based on UDP port 500. You can refer to a configuration on "IPSEC user guide for the cisco secure PIX Firewall ver 5.3" is a pix 2 pix configuration but could be a good reference.

What about a Proxy instead of a cisco 8xx ?

New Member

Re: IPSec through PAT

I have had this problem also in a similar (NAT) setup. ISAKMP would not work but Manual Keys were fine. I thinks it because the HASH on ISAKMP cant be turned off (you can only choose between MD5 or SHA) this and because of the NAT the packet will fail the HASH check.

New Member

Re: IPSec through PAT

This took me a while to figure out! Rather than show the config. Just use Cisco's configmaker to do it.

The main thing to remember is to allow the interface throught the tunnel......

New Member

Re: IPSec through PAT

Hope your configuration would be working by now. I have implemented a VPN covering 130 retail sites. Each site with a PC, one Cisco 803 and one ISDN BRI. The problem you have mentioned bugged me a lot. I struggled with Cisco Secure client and Check Point's Securemote. The problem is that, you need true NAT for this to function properly. In case of and 803 router dialing an ISP, what we get is a variable IP address each time. So, a true inbound NAT cannot be established. I used ETrust VPN from Computer Associates. It has no issues working through PAT.

Other way is to have an IPSec tunnel between 803 BRI to the head office PIX. With PIX you can have Dynamic crypto maps which can handle the variable IP addresses from originating routers.

I spent quite sometime on this and I am happy the setup is working superb. If you still have problems or need more information, feel free to contact me.

New Member

Re: IPSec through PAT

can't be done and be secure in this set up

reccommend the cvpn3002

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/get_strt/gs4cli.htm#xtocid183939

if connecting to a concentrator, you are ok. if you are connecting to a Pix, I would upgrade up to v6.0(1) on the Pix SW.

you will not be able to ping devices on the remote site from the main site. This is the only short coming of this.

If you do IPsec pass through, (if connecting to a pix on the main site, please take caution. Secondary connections do not re-authenticate with the SA and you are vulnerable to be hacked)

161
Views
0
Helpful
5
Replies
CreatePlease to create content