06-23-2002 02:47 AM - edited 02-21-2020 11:49 AM
Hi
I am really struggling to find a good document that fully explains what forms of VPN can and can't be achieved thru a NATT'D network. At present I am offering ISP services across my network that are NATT'D by a 7206VXR from our internet gateway, thru a PIX 525 and then via GigEthernet switch (6509) to the customers who are provisioned off a cat3500 series switch.
Any pointers woulld be most welcome! I have been told that IPSec will not work but am sceptical as to this generalisation!
06-23-2002 03:01 AM
Are you doing remote access vpn or site to site. For remote access-vpn
you could do this with different methods (well with Cisco VPN 3000 anyway).
See:
http://www.cisco.com/warp/customer/471/nat_trans.html
http://www.cisco.com/warp/customer/471/vpn3k_ipsec_tcp.html
There is also newer features on the ios that let ipsec pass thru a router doing
pat on:
http://www.cisco.com/warp/customer/471/ios_pat_ipsec_tunnel.html
Bear in mind that with nat in the middle you could only use esp encapsulation.
AH would break as you authenticate the header (nat changes the ip header).
06-23-2002 03:08 AM
Regarding Remote or Site-to-site, we have numerous prospective customers and so need to know what we can exactly do! We want to be able to do both if possible!
06-23-2002 05:07 AM
There is no one solution that fits the bill, it would be depending on what you have as a vpn headend and where the nat device is. Here are some scenarios:
IOS rtrB ---nat device--sitevpn--IOS rtr A, this would work as long as you peer with the translated addr of B, and use only esp, if your nat device is an IOS doing pat then refer to the link I have provided before regarding how to pass ipsec tunnel through a router doing pat.
IOS rtr or PIX as VPN ---nat device---vpn client, this currently would not work as
IOS or the PIX doesn't support nat transparency as yet.
VPN 3000 ---nat device ---3002 client or Cisco software client, this would work because both client and VPN 3000 supports nat tranparency
Now if you use other software client like Microsoft for L2TP over IPSec, then it would break with NAT.
See related reading of ietf drafts on:
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-03.txt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide