Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

using IPSec VPNs through PAT ( overloaded NAT )

does VPN should work through PAT ???

can anyone help me understand that plz ??? i work a lot with VPNs and i really got problems with that issue

thx all

  • Other Security Subjects
2 REPLIES
New Member

Re: using IPSec VPNs through PAT ( overloaded NAT )

Yes, you can establish a VPN through PAT. However, you need to create static translation entries for the IPSEC ports to ensure port 500 always pass through at 500. On the IPSEC peers you need to make sure your peer is "thinking" he is talking to the real address.

Here is a doc that should help.

http://www.cisco.com/warp/public/471/ios_pat_ipsec_tunnel.html

~rlc

CCNP, CCDA, CNE

New Member

Re: using IPSec VPNs through PAT ( overloaded NAT )

It works fine, but there's a catch - you've heard the statement about creating a static NAT for port 500, but there's more. We just completed a rather lengthy TAC case on this very subject, and it works fine without static NAT in IOS 12.2(11)T IP-FW-IDS-IPSec3DES code on a 2611 router, 16M flash and 64M memory.

The other respondent is referring to a known issue about PAT - The first vpn connection grabs port 500 for its connection, and the second connection cannot be guaranteed that it will have 500 available to it, thus possibly breaking/preventing the second vpn connection. What does happen is that port 500 is used to complete the connection, and then established an internal connection with the ipsec pool. Since the vpn connection gets an IP address from an internal pool, no natting is required.

Our testing revealed that multiple inbound vpn connections does work reliably on a NAT/PAT where the outside connection had only one IP address. Our production 2611 even gets its outside IP address via DHCP, and this still works. Now, we've not been able to try more than 3 concurrent connections, but this router isn't meant for it.

If you need more than about 5 vpn connections, the PIX vpn accelerator or VPN3000 chassis is a better choice to handle the load.

-Jeff

108
Views
0
Helpful
2
Replies
This widget could not be displayed.