Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN + NAT , can not work using CSPM 232i


I tried to configure VPN+NAT(overload+static). It could not work....Is CSPM not intended for that configuration ?? when I tried to configure NAT then configure VPN, I didn't see the configuration for vpn in the command section ....and when I tried to upload to PIX...I didn't see such command for VPN purpose ..... Can Somebody help me please

thanks in advance.....

New Member

Re: VPN + NAT , can not work using CSPM 232i

CSPM 2.3.2.i does not include the firewall/vpn enhancements that are required to allow this type of IPsec configuration. You will need to use the 'f' train which is available for download. The only thing to consider is that if you are also managing IDS with, you need to continue to use the 'i' train for those sensors.


Install another CSPM server and use the 'f' train for the firewall/vpn maganement. This software can be downloaded if you have a cco account from the following location:



Cisco Employee

Re: VPN + NAT , can not work using CSPM 232i

I talked with one of our sensor testers. He has confirmed that CSPM will not currently support this configuration for IPSEC between CSPM and the sensor.

The UDP checksums are changed when using the IPSEC method that was necessary.

NT checks the UDP checksums and doesn't let the packet through because the checksums won't match.

On the Unix Director and the Sensor we can disable the UDP checksums in order to get IPSEC to work, but we couldn't do it on CSPM with the IRE client being used.

DDTS Issue: CSCdu56454