Cisco Support Community
Community Member

NATed W2K client to 3005?

Can this be done? I know it can be done without the Netgear or Linksys involved.

What I have is:

Windows 2000 client (with digital certs) going though a netgear RT314 across the internet (via a cable modem) and making a L2TP/IPSEC connection with a VPN 3005.

If I plug the client right into the cable modem all works fine. The Linksys cable modem 'router' didn't work at all. I suspected because I couldn't tell it to work with ip protocols 50 and 51. So I bought a Netgear RT314 that seems to allow me to setup a filter to forward ip 50, 51, udp port 1701 and udp port 500.

When I attempt to connect to the 3005 (running 2.5.2) I get a message that the L2TP failed.

Now I starting to think that this failing because the client has a private address (192.168.x.x) and is being NATed by the Netgear (PAT in Pix terms). Is that the problem?

Any ideas?


Community Member

Re: NATed W2K client to 3005?

this is because part of the auth process looks at

WHO wrote the header.. for instance i have

a 3015 natted to public space, and remotely i have

3005 for lan to lan sessions.. now to make it work

i have to specify the private address 192.168.xx.xx

on the 3005 (remote) as the peer, now on the

config >system >ip routing >static routes

i have to make a static route to the public address

the concentrator is one-to-one natted to...

i also have to create a group on the 3005 allowing

a lan-to-lan session.. because its going to hear

traffic back from the public address. crazy but i

tried everything else possible and this was the only

thing that worked... btw.. the 3005 are acutally

assigned routed ip space, so the master 3015 only

needs their ip's as peer..

so im assuming the l2tp is matching too much and

nat is interfering one thing you can try on the

concentrator is making group access (with l2tp allowed of course) for both the remote private and public addresses.. that way no matter who the

concentrator sees (you can check it out in event

log) it will allow a connection once encryption

is successfully executed.

CreatePlease to create content