Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Only one VPN Client with NAT connects to the VPN tunnel

Core issue

If two clients behind the same Network Address Translation (NAT) router try to access the PIX/ASA Firewall for VPN access, only the first one gets a working tunnel.

Resolution

You must configure NAT Transparency on the PIX/ASA.

The IPsec NAT Transparency feature introduces support for IPsec traffic to travel through NAT or Point Address Translation (PAT) points in the network and addresses many known incompatabilites between NAT and IPsec.

NAT Transparency uses User Datagram Protocol (UDP) port 4500 in order to encapsulate IPsec packets. By default, PIX/ASA drops all inbound connections that come from the outside. You must open this port in order for NAT Transparency to work.

Issue this command:

Pix#configure terminal

Pix(config)#isakmp nat-traversal

Refer to IPSec NAT Transparency for more information.

NAT Traversal is a feature that is auto-detected by VPN devices. There are no configuration steps for a router that runs Cisco IOS  Software Release 12.2(13)T and later. If both VPN devices are NAT Transparency capable, NAT Traversal is auto-detected and auto-negotiated.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:02 PM
Updated by:
 
Labels (1)