Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
627
Views
0
Helpful
3
Replies

IPSec with PAT

bruce.l.williams
Level 1
Level 1

‎01-07-2002 05:40 PM - edited ‎02-21-2020 11:33 AM

We have a Checkpoint VPN client and a Checkpoint VPN Concentrator. The Checkpoint client software is installed on a PC which is connected to the inside Ethernet Interface of a Cisco 827 router. The other side of the router is a DSL dialer interface which gets it IP address assigned dynamically. The VPN works fine when we do a Static NAT to the outside interface. However, we cannot do a Static NAT to outside interface because like I said before it is assigned dynamically. When we do a NAT overload to the dialer interface, the VPN does not work. I believe it is because of PAT. For some reason the VPN works with a Static NAT, but not with PAT. Some vendors (Cisco) have a workaround for IPSec with PAT. What is the problem with IPSec and PAT?

Bruce

mailto:bruce.lawrence.williams@verizon.com

Labels:
0 Helpful
3 Replies 3

m.long
Level 1
Level 1

‎01-10-2002 02:57 AM

I have come up against this problem too many times.

Below is pulled from "http://www.cisco.com/warp/public/471/nat_trans.html".

Many-to-one, the most commonly implemented NAT solution, maps several private addresses to one single routable (public) address; this is also known as Port Address Translation (PAT). The association is implemented at the port level. The PAT solution creates a problem for IPSec traffic that doesn't use any ports.

Encapsulating Security Payload

Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. Most PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). The NAT transparent mode in the VPN 3000 Client solves this problem by encapsulating ESP within UDP and sending it to a negotiated port. The name of the attribute to activate on the VPN 3000 Concentrator is IPSec through NAT.

0 Helpful

bruce.l.williams
Level 1
Level 1
In response to m.long

‎01-10-2002 05:28 AM

I know about the NAT Transparent mode on the VPN3000, but how does it work. How does the VPN 3000 know what port to reply to so the packet gets to the correct PAT host on the other side?

0 Helpful

t.schaffner
Level 1
Level 1

‎01-10-2002 07:05 AM

I had the same problem on Cisco 803 with Internet dialup and asssigned IP Address to the dialer Interface. IOS 12.2(2)XI brings a new feature called "IP Security Through Network Address Translation". This feature supports multiple IPSEC connections through PAT, more Informations can be found here:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/800/rn800xi.htm

The normal NAT overload configuration works fine and if you do a "show ip nat translations" you will see now the ESP & IKE translations and not only the IP connections.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents