using IPSec VPNs through PAT ( overloaded NAT )

chenalkabets · ‎10-22-2002

does VPN should work through PAT ???

can anyone help me understand that plz ??? i work a lot with VPNs and i really got problems with that issue

thx all

rlcarr · ‎10-23-2002

Yes, you can establish a VPN through PAT. However, you need to create static translation entries for the IPSEC ports to ensure port 500 always pass through at 500. On the IPSEC peers you need to make sure your peer is "thinking" he is talking to the real address.

Here is a doc that should help.

http://www.cisco.com/warp/public/471/ios_pat_ipsec_tunnel.html

~rlc

CCNP, CCDA, CNE

jeff_caprock · ‎10-26-2002

It works fine, but there's a catch - you've heard the statement about creating a static NAT for port 500, but there's more. We just completed a rather lengthy TAC case on this very subject, and it works fine without static NAT in IOS 12.2(11)T IP-FW-IDS-IPSec3DES code on a 2611 router, 16M flash and 64M memory.

The other respondent is referring to a known issue about PAT - The first vpn connection grabs port 500 for its connection, and the second connection cannot be guaranteed that it will have 500 available to it, thus possibly breaking/preventing the second vpn connection. What does happen is that port 500 is used to complete the connection, and then established an internal connection with the ipsec pool. Since the vpn connection gets an IP address from an internal pool, no natting is required.

Our testing revealed that multiple inbound vpn connections does work reliably on a NAT/PAT where the outside connection had only one IP address. Our production 2611 even gets its outside IP address via DHCP, and this still works. Now, we've not been able to try more than 3 concurrent connections, but this router isn't meant for it.

If you need more than about 5 vpn connections, the PIX vpn accelerator or VPN3000 chassis is a better choice to handle the load.

-Jeff