Cisco Support Community

VPN Client cannot connect to internal network - NAT/PAT device is not translating Phase II traffic



This document describes an issue where user using VPN client can not connect to internal network.


What is NAT & PAT?


  • NAT may be defined as the process in which translation of an IP address within one network to a different IP address.
  • NAT helps in ensuring security since each outgoing or incoming request should pass through the translation process.
  • NAT can be difined statically or can be made to use IP's from a pool dynamically. Cisco's version of NAT enable the  administrator to create tables that could map:

                  A local IP  to one global IP address statically

   A local IP address to a rotating pool of global IP 

   A local IP with a defined TCP port to a global IP or to anyone IP from the pool

   A global IP to any local IP from a pool with the help of round-robin basis




Port address translation (PAT) can be defined as a process with which multiple users within a local network to make minimum use of IP addresses. Its primary function is that PAT share only 1 IP public between multiple users who are using internet. 


An example of PAT is mentioned below:

A user is working in home network which is connected to the Internet.The  router which is used by the user is given a discrete IP address by ISP. Multiple users are accessing the Internet with same router, and each user is assigned a port number.

Core issue


There is a Network Address Translation (NAT) or Port Address Translation (PAT) device in the middle which might not be translating Phase II Encapsulating Security Payload (ESP) traffic. ESP does not work with PAT. The Phase I Internet Key Exchange (IKE) session would establish since it uses User Datagram Protocol (UDP) port 500.




The VPN Client connecting to the VPN 3000 Concentrator has two options.


    • IPsec tunnel through UDP

      Enable the IPsec/NAT feature on the VPN Client and VPN Concentrator.


      • For the VPN Client, select Options > Properties, and then check the Allow IPSec through NAT check box.


      • On the VPN Concentrator, select Configuration > User Management > Groups > Modify, and then check the Mode Config check box. Then go to the Mode Config tab and select IPSec over UDP. You can specify the UDP port.


  • IPsec tunnel through TCP

    This procedure applies to VPN 3000 Software versions 3.5 and later.


    • For the VPN Client, select the Use IPSec over TCP radio button. When using TCP, enter the port number for TCP in the TCP port field. This port number must match the port number configured on the secure gateway. The default port number is 10000.


    • For the VPN Concentrator, select Configuration > System > Tunneling Protocols > IPSec > IPSec over TCP, and check Enabled. You can specify multiple ports.


Refer to NAT Support for IPSec ESP - Phase II for  details on how to allow multiple concurrent IPsec Encapsulating Security Payload (ESP) tunnels or connections through a Cisco IOS® Network Address Translation (NAT) device configured in overload or Port Address Translation (PAT) mode.