Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
678
Views
5
Helpful
1
Replies

IPSec and NAT

krishnas
Level 1
Level 1

‎04-12-2004 05:29 PM - edited ‎02-21-2020 01:06 PM

Hi,

I've a basic question related to support for NAT with IPSec. I understand that it is not possible to do NAT after IPSec encryption of packets. The workaround when NAT is involved in tne path is to use NAT-Transparency. But the document on CCO at http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml has steps for configuring VPN when a firewall in between the IPsec PATH is doing NAT. I've not tested this setup but was wondering if the configuration suggested in the CCO document would work. Any ideas?

Thanks,

Krishna

Labels:
0 Helpful
1 Reply 1

lchen2
Level 1
Level 1

‎04-12-2004 05:35 PM

You can still do NAT after IPSec encryption. The key here is to use protocol ESP not AH as AH would authenticate the ip header and NATting the ip address would fail the AH authentication.

The link on CCO will work. Just one more thing, when configuring the access-list on the pix sitting b/t the ipsec peers, make sure UDP/4500 is allowed. IPSec NAT-Traversal uses UDP/4500.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents