Re: VPN outbound and NAT Pools

randyclark · ‎03-01-2007

We are using NAT addressing on our internal LAN. In order for someone to use IPSEC to VPN to their home network does the client on our network have to have a NAT address with a static outside address or will it work from a NAT Pool?

acomiskey · ‎03-01-2007

It depends whether or not remote end supports NAT-T (nat-traversal). This will allow ipsec and PAT to work together.

randyclark · ‎03-01-2007

What we have on our side is the following.

Private IP ----> ASA5520-->NAT POOL-->Internet.

It would be up to the client to make the remote end work. All I have to know is if the client will work through our NAT Pool without making an static entry. Save opening the IPSEC port for that network range. Also would it require any by direction ports to be opened.

acomiskey · ‎03-01-2007

sorry, was thinking pat

kaachary · ‎03-03-2007

Hi Randy,

Since the "fixup protocol esp" command is no longer supported with ASA. The only correct way to make ASA IPSec passthrough and to get it to work through Natting is, the headend device should be NAT-T compatible.

In other words, the headend device and the client should support NAT-T and it should be enabled on both of them.

It doesn't matter if you use NAT pool or PAtted ip address, as long as you have NAT-T enabled.

It would work.

*Please rate if helped.

-Kanishka