I have a doctor's office client who is using a recently-deployed Cisco 871W router. One doctor makes a VPN connection to a remote VPN server. Initially, with the default Cisco firewall enabled, the VPN client would not connect at all; it would time out during the connection process. I reviewed the built-in Cisco Help files and found the following:
[quote]How Do I Configure NAT Passthrough for a VPN?
If you are using NAT to translate addresses from networks outside your own and if you are also connecting to a specific site outside your network via a VPN, you must configure NAT passthrough for your VPN connection, so that network address translation does not take place on the VPN traffic. If you have already configured NAT on your router and are now configuring a new VPN connection using SDM, you will receive a warning message informing you that SDM will configure NAT so that it does not translate VPN traffic. You must accept the message so that SDM will create the necessary ACLs to protect your VPN traffic from translation.
If you are configuring NAT using SDM and you have already configured a VPN connection, perform the following procedure to create ACLs.
From the left frame, select Additional Tasks/ACL Editor.
In the Rules tree, choose Access Rules.
The Add a Rule dialog box appears.
In the Name/Number field, enter a unique name or number for the new rule.
From the Type field, choose Extended Rule.
In the Description field, enter a short description of the new rule.
The Add a Standard Rule Entry dialog box appears.
In the Action field, choose Permit.
In the Source Host/Network group, from the Type field, select A Network.
In the IP Address and Wildcard Mask fields, enter the IP address and subnet mask of the VPN source peer.
In the Destination Host/Network group, from the Type field, select A Network.
In the IP Address and Wildcard Mask fields, enter the IP address and subnet mask of the VPN destination peer.
In the Description field, enter a short description of the network or host.
The new rule now appears in the Access Rules table.
I tried this, entering the IP address that the VPN client connects to, but I still could not connect to the VPN server.
After doing so, the VPN client could successfully connect, but trying to run programs (such as Outlook) resulted in the programs either bogging down terribly, or hanging up completely. I hooked the doctor's computer directly to the DSL, bypassing the router entirely, and was able to connect using the VPN. I noticed that the amount of bytes sent and received was more or less the same. I then switched back to going through the router, and noticed that the amount of bytes received was significantly less than the amount of bytes sent. I disabled the firewall completely but that did not help. It appeared that NAT was filtering out many of the returning packets.
I did some research on enabling IPSec over NAT and apparently it's really easy on cheapy routers--usually there's just a checkbox for it somewhere in the config. Other routers don't even require that--VPN clients will "just work". Yet that's not the case with this Cisco.
So I'm hoping you guys might be able to point me in the right direction here. I've been learning this Cisco stuff as needed as I go along, and this part has me pretty much stumped. Thanks!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...