Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Question on NAT Traversal

Kindly advise on the following questions regarding VPN3000 remote client`s NAT Traversal. For NAT Traversal, we have an option to use UDP port 10000.

Does phase 1 (IKE) port 500 translated to port 10000 also ?

Best Regards,

Engel

2 REPLIES
Bronze

Re: Question on NAT Traversal

NAT-T lets IPSec peers establish a LAN-to-LAN connection through a NAT device. It does this by encapsulating IPSec traffic in UDP datagrams, thereby providing NAT devices with port information. Multiple IPSec clients behind a NAT/PAT device can connect to the same VPN Concentrator, except Microsoft L2TP/IPSec clients (as noted in the following list). NAT-T auto-detects any NAT devices and encapsulates IPSec traffic only when necessary.

New Member

Re: Question on NAT Traversal

Thanks for your reply.

I think I sould be clear, the question is for a VPN client to the Concentrator, where the client is behind a firewall which doing NAT. I am aware that the IPSec (ESP packets) will be translated to UDP port 10000. But I was not sure if the first stage for preparation of IPSec which is IKE (UDP 500) is also translated to UDP port 10000. I tested this using a PIX Firewall as a NAT device, and I found two translations occur from the "xlate" table.

One is port 500 and the other is port 10000. My conclusion is IKE still uses port 500 and the ESP packet is encapsulated in UDP port 10000.

Best Regards,

Engel

99
Views
0
Helpful
2
Replies
CreatePlease to create content