Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec VPN between Cisco IOS routers through Checkpoint firewall

wonder if someone can explain this:


Both Ra and Rb is using version 12.2(15)T17

Ra ip address is and

it is NATted by the checkpoint to be Rb ip address is

IPSec is between Ra and Rb for LanA and LanB.

Straight forward IPSec between Ra and Rb,

no GRE whatsoever.

On the checkpoint firewall, I have static

NAT for Ra from to

and I have rule on the firewall to allow

EVERYTHING through the firewall.

On the router, I explicitly put in the

following command:

crypto ipsec nat-transparency udp-encapsulation

The VPN between Ra and Rb is working and traffic

between Ra and Rb is working; however, tcpdump

on the checkpoint firewall reveals that the routers

are using ESP (proto 50) instead of NAT-T (udp/4500).

I thought that if the VPN device detects that

it is behind a NAT device, it will use nat-t

instead of ESP. Furthermore, the command

I put into the router should be enough

to tell the routers to use udp/4500.

I asked Cisco about this before but they have an

answer for me either.


Re: IPSec VPN between Cisco IOS routers through Checkpoint firew

Turning on this command turns on NAT-T on the router. Try a sniffer between router and the NAT-T device to check if NAT-T really works. Also make sure client supports it .

New Member

Re: IPSec VPN between Cisco IOS routers through Checkpoint firew

debug on routers doesn't tell me anything

I didn't already knew.

Any other advices? Thanks.