The idea here is to be able to terminate VPN's through a DSL device that's doing PAT (NAT overload). The issue here is to be able to initiate different
SA's (from different PC's using VPN client 3.x) that are initiated from the same
public IP add (the one given by the ISP for the DSL connection).
On the VPN client I saw an option that 'allows' me to use the client over
NAT/PAT/FIREWALL, but it calls for me to designate a particular TCP arrival port that will be used to send the IPSec request to the tunnel terminator; the thing here is that i haven't found any info on how to use this.
Anyone tried this setup? Do you have a URL/configs I can take a look at?
The feature you're referring to is called transparent tunneling. It uses either TCP or UDP as a transport, thereby allowing it to work through PAT devices. As far as I know, it's only supported on the VPN concentrator (the PIX is supposed to support this on the next release).
Someone correct me if I'm wrong, but I don't think it's supoprted on the router (yet).
It does work, but the transparent tunneling is irrelevant for router IOS because you're not tunneling thru to the actual IPSec device - the router _is_ the tunnel endpoint.
Yes, you can do NAT/PAT for vpns with different policies. Create different ipsec internal pools, and associate different SAs with those respective pools. Also, be sure to replace the existing NAT/PAT translations with the nonat route map shown in the IPSec examples.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...