Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
943
Views
0
Helpful
5
Replies

IPSec through PAT

csoechting
Level 4
Level 4

‎04-02-2001 01:43 PM - edited ‎02-21-2020 11:19 AM

Hello,

I have a client that needs to establish an IPSec tunnel from behind PAT on an 804 ISDN router. The router will be configured to get a dynamic address on the BRI from the ISP. The node that is running the vpn client is directly connected to the ethernet port of the router. Is there any way to get this to work? If so how? Thanks...

Labels:
0 Helpful
5 Replies 5

c.albrisi
Level 1
Level 1

‎04-03-2001 11:24 PM

I'm on a similar problem. I haven't tested yet, but I believe that you have to configure your VPN client using manual keys and with the same manual configuration on the other peer. You have to disable ISAKMP based on UDP port 500. You can refer to a configuration on "IPSEC user guide for the cisco secure PIX Firewall ver 5.3" is a pix 2 pix configuration but could be a good reference.

What about a Proxy instead of a cisco 8xx ?

0 Helpful

tawye
Level 1
Level 1

‎04-10-2001 03:08 AM

I have had this problem also in a similar (NAT) setup. ISAKMP would not work but Manual Keys were fine. I thinks it because the HASH on ISAKMP cant be turned off (you can only choose between MD5 or SHA) this and because of the NAT the packet will fail the HASH check.

0 Helpful

michael
Level 1
Level 1

‎05-07-2001 04:11 AM

This took me a while to figure out! Rather than show the config. Just use Cisco's configmaker to do it.

The main thing to remember is to allow the interface throught the tunnel......

0 Helpful

arunv
Level 1
Level 1

‎05-21-2001 05:40 AM

Hope your configuration would be working by now. I have implemented a VPN covering 130 retail sites. Each site with a PC, one Cisco 803 and one ISDN BRI. The problem you have mentioned bugged me a lot. I struggled with Cisco Secure client and Check Point's Securemote. The problem is that, you need true NAT for this to function properly. In case of and 803 router dialing an ISP, what we get is a variable IP address each time. So, a true inbound NAT cannot be established. I used ETrust VPN from Computer Associates. It has no issues working through PAT.

Other way is to have an IPSec tunnel between 803 BRI to the head office PIX. With PIX you can have Dynamic crypto maps which can handle the variable IP addresses from originating routers.

I spent quite sometime on this and I am happy the setup is working superb. If you still have problems or need more information, feel free to contact me.

0 Helpful

jv128
Level 1
Level 1

‎05-21-2001 01:57 PM

can't be done and be secure in this set up

reccommend the cvpn3002

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3002/get_strt/gs4cli.htm#xtocid183939

if connecting to a concentrator, you are ok. if you are connecting to a Pix, I would upgrade up to v6.0(1) on the Pix SW.

you will not be able to ping devices on the remote site from the main site. This is the only short coming of this.

If you do IPsec pass through, (if connecting to a pix on the main site, please take caution. Secondary connections do not re-authenticate with the SA and you are vulnerable to be hacked)

0 Helpful
Customers Also Viewed These Support Documents