I have noticed the following behavior with the Cisco VPN Client (4.x).
Conditions - Start a Remote Access Client IPSec Tunnel to a Cisco Firewall (PIX/ASA 6.x/7.x)
The Cisco Firewall is the perimeter firewall for a company network and has a public IP. It is also serving as a VPN Headend.
The Client is coming from a remote network using private IP addressing.
There are two cases to this:
Case 1 - Client is attached to a router/firewall that does NAT. The router/firewall has a public IP on the Internet. The client is directly behind the router/firewall on a single, flat network (typically 192.168.1.0/24). In this situation, the client can VPN to the remote PIX/ASA/Cisco firewall even without NAT-Traversal enabled and everything works fine.
Case 2 - Now if we take a similar situation - client is on a private network behind a router/firewall that is on the Internet with a public IP. However, now the client has one or more routers between itself and the router/firewall with the public IP. In this case, the client can initiate a VPN connection to the remote PIX/ASA/Cisco firewall and successfully authenticate. However, the client will be unable to pass traffic to the networks behind the firewall. If we enable NAT-Traversal, the problems go away and everything works great. (Requires 6.3+ for PIX/ASA).
My question is, why does Case 1 work? Shouldn't they both fail without NAT-T enabled?
I run into this all the time and tell my clients. They do it and see that it works but they always want to know why and I'm not sure!
Just a thought, are the vpn clients getting an IP address from an ip pool on the pix? If so, do the additional routers behind the nat router with the public IP know how to route the address from the ip pool back to the client? Could be a routing issue.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...