Cisco Support Community
Community Member

VPN capability thru NAT


I am really struggling to find a good document that fully explains what forms of VPN can and can't be achieved thru a NATT'D network. At present I am offering ISP services across my network that are NATT'D by a 7206VXR from our internet gateway, thru a PIX 525 and then via GigEthernet switch (6509) to the customers who are provisioned off a cat3500 series switch.

Any pointers woulld be most welcome! I have been told that IPSec will not work but am sceptical as to this generalisation!

Cisco Employee

Re: VPN capability thru NAT

Are you doing remote access vpn or site to site. For remote access-vpn

you could do this with different methods (well with Cisco VPN 3000 anyway).


There is also newer features on the ios that let ipsec pass thru a router doing

pat on:

Bear in mind that with nat in the middle you could only use esp encapsulation.

AH would break as you authenticate the header (nat changes the ip header).

Community Member

Re: VPN capability thru NAT

Regarding Remote or Site-to-site, we have numerous prospective customers and so need to know what we can exactly do! We want to be able to do both if possible!

Cisco Employee

Re: VPN capability thru NAT

There is no one solution that fits the bill, it would be depending on what you have as a vpn headend and where the nat device is. Here are some scenarios:

IOS rtrB ---nat device--sitevpn--IOS rtr A, this would work as long as you peer with the translated addr of B, and use only esp, if your nat device is an IOS doing pat then refer to the link I have provided before regarding how to pass ipsec tunnel through a router doing pat.

IOS rtr or PIX as VPN ---nat device---vpn client, this currently would not work as

IOS or the PIX doesn't support nat transparency as yet.

VPN 3000 ---nat device ---3002 client or Cisco software client, this would work because both client and VPN 3000 supports nat tranparency

Now if you use other software client like Microsoft for L2TP over IPSec, then it would break with NAT.

See related reading of ietf drafts on:

CreatePlease to create content