Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT-T Through Firewall-1

I am trying to setup multiple clients from one site to our 3060 Concentrator. The are running 4.0.1 client and NAT-T is turned on.

I have done a TCPDUMP at the firewall (the concentrator sits behind the external firewall) and can see the first client come in on udp 500,500. It then switches to 4500,4500.

For the second client I saw it start on 500,500. The next packet exchange was 48068,4500. I presume the ADSL modem has PATed 4500 to 48068?

Anyway this did not connect. The TCPDUMP showed the concentrator responded on 4500,48068 but the client did not receive it. I think the firewall dropped it because it was sent to port 48068 and it had not recognised the communication as a session.

The PIX has a specific version and command for NAT-T support. I think our old firewall-1 doesn't understand NAT-T. We are upgrading to NG next week, will that help?


Re: NAT-T Through Firewall-1

I guess even older version of the pix supports the same...

New Member

Re: NAT-T Through Firewall-1

I think I have found the problem.

I think the firewall is passing the traffic recognising it as a session. We also have some simple ACLs on our internet router and I think it is being dropped there.

We permit udp 500 and 4500 in and out, but NAT-T allows a random port. The inbound traffic is allowed, port 45000, but the out bound, dest port 48068, is not allowed in our ACLs.

We could use a reflexive ACL to allow source,dest port combinations.

СоздатьДля создания публикации, пожалуйста в систему