Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT and IPSec Work together?

I have a network provided by CBeyond ( Basically its data over voice (6 lines) and relatively high speed. They run NAT. Authenication on that network can not occur with the Nortel Ethernet Access Client. CBeyond's technical rational to why this wont work is (their words) Upon further investigation of this issue, we have determined that NAT and IPSec cannot work together. The reason:

The IPSec Authentication Header (AH) runs the entire IP packet, including invariant header fields such as source and destination IP address, through a

message digest algorithm to produce a keyed hash. This hash is used by the recipient to authenticate the packer. If any field in the original IP packet is modified, authentication will fail and the recipient will discard the packet. AH is intended to prevent unauthorized modification, source spoofing, and man in the middle attacks. But NAT, by definition modifies IP packets. Therefore, AH + NAT simply cannot work. The only solution we find for this scenario at this time is for the customer to request a Public IP address for the workstation in question. Note that both end points must have public IP addresses for this to work. Now I understand how IPSec works, but I believe that the CISCO ID 2400 series router can be configured to allow IPSec with DHCP and not have a public IP address on the client side (one is id'd for the gateway side). Can anyone help as it seems CBeyond can't.

  • Security Management
New Member

Re: NAT and IPSec Work together?

New Member

Re: NAT and IPSec Work together?


NAT + IPSEC with AH won't work.

But NAT + IPSEC without AH do work very well


This widget could not be displayed.