Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPsec VPN through a PAT router

I have a customer with a single IP address from his ISP. He wnats to use a VPN solution but this will require the ISP router, doing Port Address Translation to recognise the VPN packets and forward them to the right internal address. I know how to use static PAT with a TCP or UDP port number but ESP, AH and GRE are all IP protocols, not TCP or UDP protocols.

Does anyone know how I can set up static PAT for these protocols and which routers / feature sets I would need for this?

Thanks in advance.

  • Other Security Subjects
5 REPLIES
Silver

Re: IPsec VPN through a PAT router

NAT Transparency is the feature you’ll need in your VPN solution. Cisco’s VPN concentrators support this.

New Member

Re: IPsec VPN through a PAT router

Thank you.

However, the customer is not using Cisco concentrators. The VPN is terminating on a Sonicwall box. I am not in a position to change this, unfortunately.

Any ideas?

New Member

Re: IPsec VPN through a PAT router

This may not help considering that you cannot change the device being terminated into, however we have tested Cisco 2621's and 1605R's using PPTP on Win2K Professional clients terminating into a Win2K Server behind the individual routers. All routers are running NAT/PAT on the outside interface. This configuration has been virtually flawless. We tested many permutations of this (with/without WINS, various levels of encryption & compression, etc) before we setteled on a standard template configuration for this type of access. If your VPN terminating device supports PPTP & the various Microsoft protocols (MPPE/MPPC, etc) then I suspect that it will function in the same way. The only issue I've had so far is loss of telnet access to the public interface from non-private ip ranges (but this may just be a NAT/PAT/Access-List issue that I'm just not seeing in my router configs) :( In any event, let me know if this helps and I'll email you a detailed network configuration of our general set-ups.

P.S. I think the general concensus is that non PPTP based VPN solutions WILL NOT function correctly through a PAT due to PAT 'packet fix-ups' that cannot be made to the packets being passed. If your client REQUIRES a non PPTP VPN solution you may HAVE to terminate the VPN into the public IP router/VPN server.

New Member

Re: IPsec VPN through a PAT router

PPTP and IPSEC will work through a "PAT" router. The trick is called "passthrough".

Most SOHO routers are not enabled with a PPTP and IPSEC passthrough switch. in a cisco

this is made possible via the NONAT route map. By defining a route map called NONAT and

applying a deny or allow on address space, you can keep IPSEC and PPTP traffic out of

the nat. This will allow it to pass unnatted.

New Member

Re: IPsec VPN through a PAT router

I'd like a copy of those diagrams and notes if you don't mind.

199
Views
0
Helpful
5
Replies