NAT traversal with cisco 827

raydakis · ‎05-08-2003

i use a vpn client 3.6.4 behind a cisco 827 (ppoe with NAT) to connect to a pix 515 (configure also with nat ). I want to access a sever behind the pix.

Can i configure ip nat traversal on the cisco 827 (ios 12.2.13T) ?

does it work ?

vpn client 6.3.4<--->cisco827(NAT) <-----internet------> Pix515(NAT)<--->server

thanks !

hadbou · ‎05-14-2003

NAT-T can be used between VPN Clients and a concentrator, or between concentrators behind a NAT/PAT device. At this time, this feature is supported only between the Cisco VPN clients (Unity client) and a concentrator, or between concentrators.

gfullage · ‎05-14-2003

Not quite right. NAT-T is supported on routers and PIX's now also.

However, you have the wrong idea of where to configure it. You configure NAT-T on the VPN termination point, in your case the PIX. The intermediate 837 doesn't need to know about anything, as the VPN client and the PIX will encapsulate their IPSec packets into UDP 4500 and the 837 will just NAT them like any other packet.

On the PIX, upgrade it to 6.3 code and use the command:

> isakmp nat-traversal

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312

raydakis · ‎05-15-2003

hi,

thanks for your reply .

i'll change my configuration and upgrade the pix firewall.

fbarook · ‎05-15-2003

Better check the following bug before configuring,

CSCea72383 - PIX crashes with isakmp nat-traversal command