Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec with PAT

We have a Checkpoint VPN client and a Checkpoint VPN Concentrator. The Checkpoint client software is installed on a PC which is connected to the inside Ethernet Interface of a Cisco 827 router. The other side of the router is a DSL dialer interface which gets it IP address assigned dynamically. The VPN works fine when we do a Static NAT to the outside interface. However, we cannot do a Static NAT to outside interface because like I said before it is assigned dynamically. When we do a NAT overload to the dialer interface, the VPN does not work. I believe it is because of PAT. For some reason the VPN works with a Static NAT, but not with PAT. Some vendors (Cisco) have a workaround for IPSec with PAT. What is the problem with IPSec and PAT?


New Member

Re: IPSec with PAT

I have come up against this problem too many times.

Below is pulled from "".

Many-to-one, the most commonly implemented NAT solution, maps several private addresses to one single routable (public) address; this is also known as Port Address Translation (PAT). The association is implemented at the port level. The PAT solution creates a problem for IPSec traffic that doesn't use any ports.

Encapsulating Security Payload

Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. Most PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). The NAT transparent mode in the VPN 3000 Client solves this problem by encapsulating ESP within UDP and sending it to a negotiated port. The name of the attribute to activate on the VPN 3000 Concentrator is IPSec through NAT.

New Member

Re: IPSec with PAT

I know about the NAT Transparent mode on the VPN3000, but how does it work. How does the VPN 3000 know what port to reply to so the packet gets to the correct PAT host on the other side?

New Member

Re: IPSec with PAT

I had the same problem on Cisco 803 with Internet dialup and asssigned IP Address to the dialer Interface. IOS 12.2(2)XI brings a new feature called "IP Security Through Network Address Translation". This feature supports multiple IPSEC connections through PAT, more Informations can be found here:

The normal NAT overload configuration works fine and if you do a "show ip nat translations" you will see now the ESP & IKE translations and not only the IP connections.

CreatePlease login to create content