Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LAN2LAN IPSEC behind a 1-to-1 NAT

Hi All,

We have a client that we need to do LAN2LAN IPSEC with, but their VPN Gateway (PIX firewall) is behind a NAT. Will it work? Their PIX's outide interface is NATed to a public Address.

5 REPLIES

Re: LAN2LAN IPSEC behind a 1-to-1 NAT

Yes it will work - they just have to MAKE SURE they perform a 1:1 NAT for the IP address and not PAT - as ESP is a protocol and cannot be port translated, and AH is broken by NAT.

HTH>

New Member

Re: LAN2LAN IPSEC behind a 1-to-1 NAT

OK. We will test it.

But since you mentioned it, If one end is behind a PAT, do we need to use NAT-T or something? or still will not work?

Regards.

New Member

Re: LAN2LAN IPSEC behind a 1-to-1 NAT

It should work but only the peer behind the NAT may initialize the conection using NAT-T (ESP tunneled via UDP). IF the remote peer try to initiate the tunnel nothing will happen because you dont have an xlate telling to the outside the local IP of the gateway.

Rgds,

Pedro

Silver

Re: LAN2LAN IPSEC behind a 1-to-1 NAT

That is NOT true. ESP will work as well. For

example, you want to do L2L VPN between R1 and

R3 but you only have one public IP address on

R2.

R1----Internet--(F0/0)R2(F0/1)----R3

Let say R1 external is 1.1.1.1, R2 F0/0 has

an IP of 1.1.1.2. R2 F0/1 has an IP address

of 192.168.1.1 and R3 has an IP address of 192.168.1.3.

here is how you do it:

R2:

interface F0/0

ip nat outside

ip address 1.1.1.2

interface F0/1

ip address 192.168.1.2

ip nat inside

ip nat inside source static udp 500 192.168.1.3 interface F0/0 500

ip nat inside source static esp 192.168.1.3 interface F0/0

NOW, YOU CAN DO L2L IPSEC VPN BETWEEN R1 AND

R3 USING ESP WITHOUT USING NAT-T. YOU CAN

TEST BY USING "NO CRYPTO IPSEC NAT UDP" ON

R3.

This is a classic VPN problem.

New Member

Re: LAN2LAN IPSEC behind a 1-to-1 NAT

Its true, but my post is assuming that he can't do any static in the path.

rgds

267
Views
0
Helpful
5
Replies
CreatePlease to create content