Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
0
Helpful
3
Replies

VPN capability thru NAT

grant.bishop
Level 1
Level 1

‎06-23-2002 02:47 AM - edited ‎02-21-2020 11:49 AM

Hi

I am really struggling to find a good document that fully explains what forms of VPN can and can't be achieved thru a NATT'D network. At present I am offering ISP services across my network that are NATT'D by a 7206VXR from our internet gateway, thru a PIX 525 and then via GigEthernet switch (6509) to the customers who are provisioned off a cat3500 series switch.

Any pointers woulld be most welcome! I have been told that IPSec will not work but am sceptical as to this generalisation!

Labels:
0 Helpful
3 Replies 3

cjacinto
Cisco Employee
Cisco Employee

‎06-23-2002 03:01 AM

Are you doing remote access vpn or site to site. For remote access-vpn

you could do this with different methods (well with Cisco VPN 3000 anyway).

See:

http://www.cisco.com/warp/customer/471/nat_trans.html

http://www.cisco.com/warp/customer/471/vpn3k_ipsec_tcp.html

There is also newer features on the ios that let ipsec pass thru a router doing

pat on:

http://www.cisco.com/warp/customer/471/ios_pat_ipsec_tunnel.html

Bear in mind that with nat in the middle you could only use esp encapsulation.

AH would break as you authenticate the header (nat changes the ip header).

0 Helpful

grant.bishop
Level 1
Level 1
In response to cjacinto

‎06-23-2002 03:08 AM

Regarding Remote or Site-to-site, we have numerous prospective customers and so need to know what we can exactly do! We want to be able to do both if possible!

0 Helpful

cjacinto
Cisco Employee
Cisco Employee
In response to grant.bishop

‎06-23-2002 05:07 AM

There is no one solution that fits the bill, it would be depending on what you have as a vpn headend and where the nat device is. Here are some scenarios:

IOS rtrB ---nat device--sitevpn--IOS rtr A, this would work as long as you peer with the translated addr of B, and use only esp, if your nat device is an IOS doing pat then refer to the link I have provided before regarding how to pass ipsec tunnel through a router doing pat.

IOS rtr or PIX as VPN ---nat device---vpn client, this currently would not work as

IOS or the PIX doesn't support nat transparency as yet.

VPN 3000 ---nat device ---3002 client or Cisco software client, this would work because both client and VPN 3000 supports nat tranparency

Now if you use other software client like Microsoft for L2TP over IPSec, then it would break with NAT.

See related reading of ietf drafts on:

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-03.txt

0 Helpful
Customers Also Viewed These Support Documents