Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC behind a PAT devices

Our firewall has multiple site-to-site VPN's as well as it supports Remote Access VPN (using an ASA). A number of RA users who are coming behind a PAT'd address are unable to VPN in, after doing some research I am seeing that a line needs to be added on both firewalls, ie:

isakmp nat-traversal 20

I fear though that this will "hurt" the site-to-site VPN based on this document:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.pdf

section : Enabling IPsec over NAT-T

Is there any problem enabling this command on the firewall without harming any of the site-to-site VPN's or even RA VPN's?

2 REPLIES
Cisco Employee

Re: IPSEC behind a PAT devices

Roni,

You are on the right path, "isakmp nat-traversal" should overcome the issues you are running with RA Users through PAT Device.

And Technically, by enabling "isakmp nat-traversal", you should not run into any issues with L2L Tunnels. Atleast, that is what I have seen with Cisco VPN Servers. In case, if you have L2L Tunnels configured to third party vendors, I would recommend that you enable this command during a "Maintenance Window" and if possible, clear the isakmp and ipsec sa's, and re-establish the tunnels. So, you know for sure that enabling the command did not break the L2L Tunnel Configuration/behavior.

Regards,

Arul

*Pls rate if it helps*

Silver

Re: IPSEC behind a PAT devices

If you are doing L2L VPN between Cisco and

and Checkpoint and/or Juniper devices, be

sure to enter this command as well:

no crypto ipsec nat-transparency udp-encapsulation

that will ensure the the L2L VPN to use ESP

instead of sending udp/4500.

251
Views
0
Helpful
2
Replies