VPN site to site behind PAT device

Mohammad Alsouqi · ‎12-28-2013

Hi ALL,

I have the below setup:

Internal hosts --> ISA server --> Edge router <<-------------------------->> Remote router --> remote server

Internet

Our ISA is doing PAT and hiding all the internal clients behind the IP "192.168.0.1". I ineed to initiate VPN tunnel between two hosts behind the ISA which are: 10.0.0.221/32 and 10.0.0.224/32 that need to communicate with remote server on the other side with IP 10.128.241.50/32

I was able to get the VPN up and ping from the left side (host that resides behind ISA) to the remote server 10.128.241.50. But the ping from the other side is not working. I know it's because we have a PAT device behind our internal servers on the left and to get a two-sided VPN tunnel, I need to create static NAT entries on the ISA for the two servers 10.0.0.221, 10.0.0.224 but unfortunately, that's not doable at the meantime since these servers are participating in other VPN connections.

My question: Is there any workaround to be applied here without the need of creating static NAT entries and keeping the ISA doing PAT as expected?

Appreciated.

Tariq Bader · ‎01-03-2014

You have to enable the nat-tranperancy feature so the traffic would be encapsulated by UDP 4500 (NAT-T) and overcome the PAT issue with ESP.

It must be enabled by default on both routers, so you need to check, do the following:

crypto ipsec nat-transparency udp-encapsulation

regards,

Tariq

Mohammad Alsouqi · ‎01-03-2014

Thanks Tariq,

So, even if we have devices residing behind the ISA on the 10 subnet, if we enable NAT-T on the edge router (which is our VPN gateway) that would do the job?