We have a Checkpoint VPN client and a Checkpoint VPN Concentrator. The Checkpoint client software is installed on a PC which is connected to the inside Ethernet Interface of a Cisco 827 router. The other side of the router is a DSL dialer interface which gets it IP address assigned dynamically. The VPN works fine when we do a Static NAT to the outside interface. However, we cannot do a Static NAT to outside interface because like I said before it is assigned dynamically. When we do a NAT overload to the dialer interface, the VPN does not work. I believe it is because of PAT. For some reason the VPN works with a Static NAT, but not with PAT. Some vendors (Cisco) have a workaround for IPSec with PAT. What is the problem with IPSec and PAT?
Many-to-one, the most commonly implemented NAT solution, maps several private addresses to one single routable (public) address; this is also known as Port Address Translation (PAT). The association is implemented at the port level. The PAT solution creates a problem for IPSec traffic that doesn't use any ports.
Encapsulating Security Payload
Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. Most PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). The NAT transparent mode in the VPN 3000 Client solves this problem by encapsulating ESP within UDP and sending it to a negotiated port. The name of the attribute to activate on the VPN 3000 Concentrator is IPSec through NAT.
I had the same problem on Cisco 803 with Internet dialup and asssigned IP Address to the dialer Interface. IOS 12.2(2)XI brings a new feature called "IP Security Through Network Address Translation". This feature supports multiple IPSEC connections through PAT, more Informations can be found here:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :