hi buddy it's very simple to have vpn tunnel between 2 router withn pix in between without using NAT-T.
i hope u are using tunnel mode.
in the pix do a nat (0) from the source ip of the router in the inside to the destination ip of the router outside. and on the outside of the pix configure a access-list permitting traffic from the outside router ip address to the inside router ip address. that's it u don't have to configure any nat-t or any specific acl for isakmp and esp.
here the ip address i am referring the to the vpn peer ip address of the inside and the outside routers.
i am sure it will work. if u need any more help. do write back .
Hi Sebastian ... is not as simple as that ... because is most likely that one of the routers is located on the Internet .. meaning it probably has a routable public address in which case it is necessary to have static nat. NAT-T needs to be configured on the devices terminating the VPN and the PIX needs to be configured to allow the IPsec traffic between the two peers ( routers ).
On the PIX ( inside network ) configure
static (inside,outside) netmask 255.255.255.255
You can filter the protocols you need i.e UDP 500, 50, 51 etc using an access-list applied to the inside interface
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...