Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSec and NAT

Hi,

I've a basic question related to support for NAT with IPSec. I understand that it is not possible to do NAT after IPSec encryption of packets. The workaround when NAT is involved in tne path is to use NAT-Transparency. But the document on CCO at http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml has steps for configuring VPN when a firewall in between the IPsec PATH is doing NAT. I've not tested this setup but was wondering if the configuration suggested in the CCO document would work. Any ideas?

Thanks,

Krishna

1 REPLY
Community Member

Re: IPSec and NAT

You can still do NAT after IPSec encryption. The key here is to use protocol ESP not AH as AH would authenticate the ip header and NATting the ip address would fail the AH authentication.

The link on CCO will work. Just one more thing, when configuring the access-list on the pix sitting b/t the ipsec peers, make sure UDP/4500 is allowed. IPSec NAT-Traversal uses UDP/4500.

239
Views
5
Helpful
1
Replies
CreatePlease to create content