05-09-2006 10:35 PM - edited 02-21-2020 02:24 PM
Hello,
I have a router behind a firewall and I would like to setup a VPN to the router. The router uses only private 10.x space and I would like it to peer IPsec using its loopback IP. The firewall provides a static NAT for the router loopback. I have also opened UDP500 and UDP4500 for ISAKMP and NAT traversal. I can get phase I up, but Phase II cannot come up. It looks to be a problem with using private IP space as the peering source.
Can an IPSec VPN be setup on a router that uses only private IP space which is NATTed on a different device?
Thanks,
Lee
05-11-2006 07:32 AM
Lee
I have not done quite the thing that you describe so I can not speak from experience. But from my understanding it should be possible. If NAT is done on the firewall (between the router and its peer) it should be transparent to the router. And if you can get phase 1 to work then I think this verifies that it should be possible.
If you get phase 1 but not phase 2 I would guess that the problem may be that the firewall is allowing ISAKMP but is not allowing ESP (and/or AH). Check and see if the IPSec protocols are allowed through the firewall and let us know.
HTH
Rick
05-12-2006 08:09 AM
Hello Lee
In adition to the static you will have to modify your ACL on the outside (eventually on the inside interface too)
in order to permit esp and ah protocols , between remote ip and static outside ip.
Check PIX firewall config on this sample config
http://www.cisco.com/warp/public/707/ipsecnat.html
Hope this helps ... rate if it does!
Regards !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide