Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN over NAT

Hi,

I have configured a PIX (6.3) for VPN clients (4.0.2). When i try to connect using a dial-up connection i am able to connect, but using a NAT (through a router) i get connected but cannot access any servers. It shows packets decryption Zero.

Is their any thing i need to do on PIX ? I am using IPSEC.

Please help.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN over NAT

NAT, or more precisely PAT, will usually break an IPSec connection. Thankfully there's a new standard called NAT-T that has each end detect that they're going thru a NAT/PAT device, and if so, they'll encapsulate everything into UDP packets, which can then be NAT'd properly.

The client has this feature enabled automatically. On the PIX you have to turn it on with the command:

> isakmp nat-traversal

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312 for details.

1 REPLY
Cisco Employee

Re: VPN over NAT

NAT, or more precisely PAT, will usually break an IPSec connection. Thankfully there's a new standard called NAT-T that has each end detect that they're going thru a NAT/PAT device, and if so, they'll encapsulate everything into UDP packets, which can then be NAT'd properly.

The client has this feature enabled automatically. On the PIX you have to turn it on with the command:

> isakmp nat-traversal

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312 for details.

211
Views
0
Helpful
1
Replies
CreatePlease to create content